Global Data Hub - latest news

News as at 10 December 2025

ICO publishes results of cookie sweep

On 4 December 2025, the ICO published an update on enforcing cookie rules across the UK’s top 1,000 websites after its latest sweep which focused on:

• whether non-essential advertising cookies were stored on user devices before a choice was offered about whether or not to accept them
• whether rejecting non-essential advertising cookies was as easy as accepting them, and
• whether any such cookies were placed even though a user had not consented.

95% of websites passed compliance tests, with 979 compliant and 21 still failing. 564 were initially non-compliant but improved after ICO engagement, including 17 preliminarcy enforcement notices.

The ICO will keep testing and pursuing non-compliant sites and is working with trade bodies and consent management platforms to make banners compliant by default. It is exploring legislative changes with government to enable low-risk, privacy-friendly advertising without consent. 

ICO publishes interim impact review of Children's Code strategy

At the end of November 2025, the ICO published a report of its interim impact review of the Children's Code strategy. The report looks at the impact of the Children's Code and is broadly positive about the results of its engagement with 32 platforms. A final impact review will be published in 2026/27.

EDPB adopts Recommendations on user accounts on e-commerce sites

On 4 December 2025, the EDPB adopted recommendations on when e-commerce sites may require mandatory account creation. It concluded that, in the majority of cases, guest checkout should be offered, with mandatory accounts limited to narrow cases such as subscriptions or exclusive offers, most likely under the lawful basis of contractual necessity or legal obligation.

EDPB discusses Digital Omnibus proposal

The EDPB discussed the Digital Omnibus at its plenary session on 4 December 2025. It plans to issue a joint Opinion with the EDPS. As a preliminary issue, it concluded that the proposed new definition of "personal data" goes beyond CJEU case law. A stakeholder event is scheduled for 12 December 2025.

Implementing Regulation on technical description of important and critical products under the CRA

On 28 November 2025, the European Commission adopted an Implementing Regulation under the Cyber Resilience Act. It sets out technical descriptions of categories of important and critical products under the CRA. Class I important products includes smart door locks, baby monitoring and alarm systems and home security cameras. Class II important products includes firewalls and anti-spam gateways. Critical products include payment terminals and hardware products that generate and manage cryptographic elements. The requirement for manufacturers to complete conformity assessments for these products will apply from 11 December 2027, although some reporting elements will be introduced earlier. 

DSIT report on data brokers and national security

On 4 December 2025, DSIT published its response to a call for views on data brokers and national security. The report identifies four priority areas for further work including safeguarding the beneficial role data brokers play in sectors including healthcare. It also highlights that responses to the call were divided in terms of adequacy of current data protection laws to protect national security, and the viability of industry standards. DSIT will now refine policy in this area.

ICO issues reprimand to Post Office over Horizon data breach

On 3 December 2025, the ICO issued a reprimand to Post Office Limited for publishing an unredacted settlement agreement online that exposed personal data of 502 Horizon litigants for nearly two months. The ICO cited inadequate security measures and training. The ICO considered issuing a £1.094 million fine but decided the breach did not meet the "egregious" threshold under its public sector approach and so issued a reprimand instead. 

Home Office consultation on using facial recognition in law enforcement

On 4 December 2025, the Home Office launched a consultation on developing a new legal framework governing the use of overt (non-covert) facial recognition, biometrics and similar technologies for law enforcement purposes. The consultation closes on 12 February 2026.

News as at 4 December 2025

Online marketplace is controller of personal data in user-generated ads on its platform, says CJEU

On 2 December 2025, the ECJ handed down its judgment in X v Russmedia Digital and Inform Media Press. It concluded that online marketplaces are (joint) data controllers for GDPR purposes where they process personal data in user-generated content for their own commercial purposes. The judgment makes it clear that this is a very low bar which many platforms are likely to meet. (Joint) controllers will need to check UGC for personal data ahead of publication, verify that any personal data belongs to the user placing the UGC and, if it doesn't, ensure there is an Article 6 GDPR lawful basis and an Article 9 GDPR exemption from the prohibition on processing special category data (where relevant). Where they are joint controllers, they will need to deal with Article 26 GDPR requirements relating to joint controllership in their user terms. In addition, and importantly, they will not be able to rely on liability shields (the hosting exemption and the 'no monitoring obligation' in the e-Commerce Directive/Digital Services Act). This judgement raises complex issues for online marketplaces and platforms. Read more.

DBT report on data standards suggests nine design principles for smart data schemes

On 25 November 2025, the Department for Business and Trade published a report evaluating existing data standards to support future smart data schemes. The report concluded that significant work is required on the existing standards including around interoperability, customer consent to sharing, and data quality and standards. The report suggests nine design principles for data standards covering how they should be created and what they should contain. This is part of the work ahead of creating smart data schemes under the Data (Use and Access) Act.

Cross-border cooperation on GDPR complaints approved by EU Council

On 17 November 2025, the Council of the EU adopted new rules to improve cooperation between national data protection authorities on cross-border GDPR complaints, harmonising admissibility criteria, strengthening complainant involvement, ensuring rights to be heard and to receive preliminary findings, and enabling a simple cooperation procedure for straightforward cases.

Investigations should conclude within 15 months, with a possible 12‑month extension for complex cases, or within 12 months under the simple procedure. Harmonised admissibility will apply regardless of where a complaint is filed.

The Council’s adoption is the final legislative step before publication in the Official Journal. The Regulation will enter into force 20 days after publication in the Official Journal and apply 15 months later. 

ICO to look at children's privacy in mobile games

On 1 December 2025, the ICO announced it would be scrutinising how popular mobile games played by children in the UK protect children's online privacy. The ICO will launch a monitoring programme targeting ten popular mobile games to assess their compliance with default privacy settings, their geolocation controls, their targeted advertising and other data protection issues. The ICO's research reveals widespread parental concern over children's potential exposure to strangers or harmful content through mobile games, as well as about children sharing their personal data, and ad targeting. The ICO points to past and ongoing action to strengthen protection for children online, and to its Children's Code strategy for further guidance.

News as at 20 November 2025

EC Digital Omnibus proposes major changes to EU data and AI laws

On 19 November 2025, the European Commission published its Digital Omnibus proposal. The first part deals with reforms to the EU AI Act, while the second part focuses on the EU data acquis, most notably the GDPR, the ePrivacy Directive and the Data Act. The standout points are delays to the rules on high-risk AI under the EU AI Act, and a new GDPR lawful basis of legitimate interest for processing personal data when developing or operating AI systems (subject to safeguards). Read more.

CJEU clarifies rules on direct marketing to readers of free newsletters

In a reference from Romania, the CJEU ruled on 13 November 2025, that signing up to receive a free newsletter with links to articles which might only be accessible with a paid-for subscription, constituted a 'sale' of a product or service for the purposes of the ePrivacy Directive – a direct monetary payment was not required. Where Article 13(2) ePrivacy applied, the publisher of that newsletter was entitled to send direct electronic marketing to the user of the service's email address without requiring a lawful basis under the GDPR. 

The judgment related to emails sent by a website provided by Inteligo SA which offered limited free access to online content. Additional content was unlocked on registration with an email address, while full access was only available behind a paywall. The user registered but did not subscribe to the paid plan. The provider then sent the user a newsletter highlighting new articles on the website.

The CJEU held that the newsletter qualified as direct marketing, that the Article 13(2) exemption applied as the newsletter related to a previous sale of a product or service and a simple opt-out was provided, so consent was not required. The CJEU also said an additional GDPR lawful basis was not required.

The newsletter constituted direct marketing because its purpose was to direct the user to articles on its website with the aim of the user exhausting their free quota and signing up to view additional articles on a subscription basis.

Article 95 GDPR states that no additional obligations will apply under the GDPR where the ePrivacy Directive imposes specific obligations with the same objective. Consequently, as Article 13(2) provided a lawful basis for sending direct marketing emails, an additional lawful basis under Article 6 GDPR was not required. Read more.

ICO guidance for education sector on sharing data for children's safeguarding

On 12 November, the ICO published guidance on sharing information to safeguard children and young people in the education sector. The guidance is aimed at education sector organisations and complements the ICO's 1-step guidance. The ICO intends to publish additional guidance on sharing data for safeguarding purposes aimed at other sectors including the health sector.

Meta given permission to intervene in joined data transfer appeals

It was reported last week that at the end of October 2025, Meta Platforms Ireland was given leave to intervene in the joined appeals to be heard by the CJEU in the Bindl case and the challenge to the EU-US DPF brought by French MP Philippe Latombe. Meta was judged to have a direct and current interest in the outcome of the rulings as both cases relate to its transfer of personal data from the EU to the USA.

EDPS guidance for risk management of AI systems

On 11 November 2025, the EDPS published guidance to help identify and mitigate common technical risks associated with AI systems. The guidance is for controllers conducting data protection risk assessments when procuring, developing and deploying AI systems under the EUDPR which governs processing of personal data by EU institutions, offices and agencies.

News as at 13 November 2025

UK's Cyber Security and Resilience Bill presented to Parliament

On 12 November 2025, the UK's Cyber Security and Digital Resilience (Network and Information Systems) Bill was presented to Parliament. Much of what the Bill contains was trailed in the government's April 2025 policy statement. The Cyber Security and Resilience Bill will largely expand and update the scope of the current 2018 NIS Regulations which implemented the EU NIS Directive, now replaced in the EU by the NIS2 Directive which was enacted after Brexit. This means the focus of the planned UK Bill is on operators of essential services (OESs), relevant digital service providers (RDSPs), and related supply chains. Among other things, the Bill:

• covers transport, energy, drinking water, health and digital infrastructure, including marketplaces, online search engines and cloud computing services. Managed service providers are now within scope
• brings certain data centres within the OES classification
• provides for stronger supply chain duties for operators of essential services (OESs) and relevant digital service providers (RDSPs)
• gives regulators new powers including to identify and designate suppliers as "designated critical suppliers" (DCS) subject to security requirements
• provides for updated technical standards to be placed on a statutory footing and, where appropriate, extend them to OESs
• updates the current incident reporting requirements. Regulated entities will be required to notify their regulator of a significant security incident no later than 24 hours after becoming aware, followed by an incident report within 72 hours. OESs that experience a significant incident will also be required to alert customers who may be affected
• gives powers to the Secretary of State to update the regulatory framework under secondary legislation (subject to safeguards) and to instruct regulators and the organisations they oversee to take specific, proportionate steps to prevent cyber attacks where there is a threat to national security
• overhauls the sanction regime. Maximum penalties of up to £17m or 4% of annual global turnover (10% in relation to certain national security direction breaches) will be introduced.

Leaks of Digital Omnibus proposals

The European Commission is set to unveil its Digital Omnibus proposals on 19 November 2025. These are intended to simplify the digital regulatory framework in the EU. Leaked documents show two proposals – one focused on the AI Act, and one focused on the data acquis in relation to which the principal changes are to the GDPR, the ePrivacy Directive and the Data Act. The Data Governance Act, the Open Data Directive, the Freeflow of Data Regulation and the Platform to Business Regulation will be repealed. A single-entry point for incident reporting across the GDPR, NIS2, DORA and eIDAS will be created.

The leaked versions may be very different from what is ultimately published next week but key proposed changes in the leaked draft are as follows:

GDPR and ePrivacy Directive

• changes to the definition of personal data, health data and special category data
• a new lawful basis of legitimate interest for using personal data for developing or operating AI systems (subject to safeguards)
• two new Article 9 derogations including in relation to the processing of special category data for developing and operating AI
• the inclusion of amended cookie rules in the GDPR rather than in the ePrivacy Directive
• reduced information requirements
• clarification on when a DSAR may be refused or charged for
• minor clarifications to Article 22 on ADM
• proposals for common templates for breach reporting and DPIAs and removing individual Member State lists of when DPIAs should and need not be carried out, with a central list to be provided by the EDPB.

Data Act

• additional protection for trade secrets
• narrowing of the public emergency provisions
• a lighter regime for data switching services that are custom-made or provided by SMEs/SMCs whose contracts were made before 12 September 2025
• a move from compulsory to voluntary notification for data intermediation services and other steps to lighten their regulatory burden
• scope for public service bodies to set out different conditions and charge higher fees for data access by DMA gatekeepers and very large companies
• the extension of rules applying to SMEs to also cover SMCs.

The leaked working draft on AI shows the direction of travel on the long-rumoured changes to the AI Act. Headline proposals include:

• aligning implementation deadlines to account for the delay in availability of standards
• introducing a transitional grace period of one year for the watermarking obligation (Article 50(2)) for AI systems placed on the market before the obligation becomes operative
• clarification that amendments necessary to integrate the high-risk requirements into sectoral law listed in section B of Annex I apply with the enactment of the Digital Omnibus' entry into force. Additionally, the Commission should not present proposals for delegated or implementing acts to integrate these requirements into existing law within one year
• extending SME privileges to small mid-caps
• placing AI literacy obligations on the Commission and Member States rather than on operators
• offering more flexibility in post-market monitoring
• reducing the registration burden for AI systems used in high-risk areas where the provider has concluded they are not in fact high risk.
• allowing providers and deployers of all AI systems and models (not just high-risk) to process special category personal data for the purpose of ensuring bias detection and correction, subject to appropriate safeguards
• creating broader use of AI regulatory sandboxes and real-world testing
• clarifying the interplay between the AI Act and other EU legislation
• centralising oversight of AI embedded in VLOPs and VLOSEs with the AI Office.

EDPB consultation on GDPR compliance templates

On 5 November 2025, the EDPB launched a consultation to develop ready-to-use templates to support GDPR compliance. The consultation seeks input on which templates would be most useful for organisations. The EDPB will develop templates for core requirements including Data Protection Impact Assessments and personal data breach notifications. It invites suggestions on further templates, such as privacy notices and records of processing activities. The consultation is open until 3 December 2025. 

2025 GPEN sweep to focus on children's data protection

On 3 November 2025, the Global Privacy Enforcement Network announced that more than 30 data protection authorities around the world would conduct a sweep of websites and mobile apps commonly used by children. The focus will be on whether websites and apps that are known to be used by children, cater to them or collect their data, are transparent about their privacy practices, have appropriate age assurance in place and use appropriate controls to limit collection of children's data.

EDPB backs Brazil adequacy decision

On 5 November 2025, the EDPB announced it had adopted an Opinion on the EC's draft adequacy decision for Brazil. The EDPB is broadly supportive but recommends the Commission clarify Brazil's approach to law enforcement and monitor issues around transparency and onward transfers and address any issues before adoption.

LinkedIn rows back on AI training plans in the EU

On 7 November 2025, the Irish DPC issued a statement on LinkedIn’s plan to train its generative AI model using EU/EEA data. Following risk findings by the DPC, LinkedIn adopted changes including improved transparency and opt-out tools, a narrower dataset and timeframe, exclusion of under-18s, filters for potentially sensitive content including trade union material, and more detailed risk assessments and other documentation including their LIA, DPIA and compatibility assessment. EU/EEA users should have been sent notifications from LinkedIn, informing them of how to exercise their right to object to their personal data being used to train LinkedIn's AI models. 

The DPC requires a report evaluating safeguards within five months of processing commencing. It has not approved or found the processing compliant but will monitor the situation. 

---

News as at 6 November 2025

UK's Cyber Resilience Bill reportedly to be introduced on 12 November

The UK government is reportedly set to introduce its Cyber Security and Resilience Bill to Parliament on 12 November. The Bill is expected (among other things) to extend the scope of the NIS Regulations including to cover managed service providers, update the current incident reporting regime and enhance transparency requirements for digital services and data centres. It is also expected to empower regulators and enhance oversight and may classify data infrastructure as a relevant sector, and certain types of data centre as operators of essential services. The government has said it is also considering options to further improve the cyber security and resilience of data centres and refreshing its National Cyber Strategy. See here for a refresher.

ICO call for views on enforcement procedural guidance

In 31 October 2025, the ICO published a call for views on new Regulatory Action Policy. The consultation closes on 23 January 2026.

The ICO says the draft guidance is more detailed than previous guidance and clearly sets out the processes it follows and factors it considers when using its powers. In particular, it covers:

• what to expect during an investigation
• how the ICO will uses its information gathering powers
• how it decides on the outcome of an investigation and use of enforcement powers
• when it will consider reducing a fine and the process involved.

The consultation closes on 23 January 2026.

IAB Europe submits joint response on EDPB draft guidelines on the interplay between the DSA and the GDPR

On 31 October 2025, IAB Europe submitted a joint response to the EDPB’s public consultation on Draft Guidelines 3/2025 concerning the interaction between the DSA and the GDPR. The submission expresses concern that the guidelines were developed without the input of the Digital Services Coordinators, the European Board for Digital Services or the European Commission and urges the EDPB to consult with relevant regulators before finalising the guidance and to refrain from interpreting substantive provisions of the DSA beyond its competence.

The response asks the EDPB to confirm that advertising, including personalised advertising, is not automated decision-making under Article 22(1) GDPR. It seeks clarification that processing undertaken to meet Article 26 DSA transparency duties may rely on legal obligation or legitimate interests (whether by platforms or third parties that support ad placement), and that limited third-party access for compliance is permissible with purpose limitation, data minimisation and security safeguards. It recommends that the EDPB clarify that intent and actual inference must both be present for processing to fall within Article 9 GDPR.

It advocates a proportionate, risk-based approach to age assurance aligned with GDPR and the Commission’s Article 28 DSA Guidelines. It calls for structured cooperation between DPAs, DSCs, the EBDS and the Commission to avoid duplicative proceedings and ensure consistent enforcement.

Latombe to appeal General Court decision

Philippe Latombe is reportedly planning to appeal the General Court's dismissal of his challenge to the EU-US Data Privacy Framework although it is not yet clear on what grounds. Any appeal will be heard by the Court of Justice of the European Union.

NOYB files criminal complaint against Clearview AI

On 28 October 2025, NOYB filed a criminal complaint against Clearview AI and its managers with the public prosecutors in Austria under s63 of the Austrian Data Protection Act. NOYB claims that Clearview has failed to respond to various EU Member State enforcement actions which have imposed fines and issued bans. NOYB says Clearview's compliance has not been enforced and no changes have taken place. If successful, Clearview AI executives could be held personally liable.

News as at 30 October

European Parliament adopts GDPR procedural Regulation

On 21 October 2025, the European Parliament approved the GDPR procedural Regulation which will introduce additional rules to speed up and clarify cross-border GDPR enforcement. These include:

• a 15‑month deadline for a lead supervisory authority to conclude investigations and issue a draft decision, extendable by up to 12 months for complex cases
• a simplified cooperation route which sets a 12‑month deadline where scope is clear and there are no objections
• an early resolution route which applies where an infringement has ceased and the complainant does not object within four weeks.

The rules also strengthen complainants’ rights to be heard and to receive information, with Member States permitted to allow greater access. Once the Council has adopted the draft, it will be published in the Official Journal, enter into force 20 days after publication and apply 15 months after that.

UK and Singapore issue international guidance on protection against ransomware attacks in supply chains

On 24 October 2025, the UK government published non-binding guidance together with international partners, in particular Singapore, on protecting against ransomware attacks in the supply chain. The guidance is intended to help organisations spot weaknesses in their supply chain and take steps to mitigate them. It was developed by the UK and Singapore at a global summit of the Counter Ransomware Initiative and has been endorsed by 67 members of the Initiative.

ICO guidance for individuals on 'consent or pay'

On 20 October 2025, the ICO published consent or pay guidance for the public. The brief guidance explains the 'consent or pay' model and stresses that it can be legal provided the organisation using it can demonstrate consent to personalised advertising is freely given. It also highlights what information must be given to individuals and the options that must be given to withdraw consent, as well has how to make complaints.

MoJ and OpenAI deal on data hosting

On 23 October 2025, the government announced OpenAI will expand its British AI offer for businesses that want their data stored in the UK. The deal, secured through the Ministry of Justice, will allow OpenAI's business customers to have their data stored in Britain on secure, sovereign severs to enhance privacy and accountability and reinforce national resilience. 

EC asks for feedback on CRA delegated Act

On 16 October 2025, the EC published a draft delegated act under the Cyber Resilience Act for feedback on the Have your say portal.  The draft act specifies the exceptional conditions and grounds under which a national computer security incident response team (CSIRT) acting as co-coordinator and receiving a notification of an actively exploited vulnerability or severe incident, can delay sending the notification to the CSIRTs of other EU countries.  A notification may be delayed:

• in light of an evaluation of the nature of the notified information
• if the recipient CSIRT cannot guarantee the confidentiality of such information
• if the single reporting platform has been compromised or is not operational.

The call closes on 13 November 2025.  Adoption is expected by the end of the year.

News as at 23 October

EDPB endorses extension of EU-UK adequacy decisions

On 20 October 2025, the EDPB published two Opinions endorsing the extension of the EU-UK adequacy decisions for a further six year period.  While welcoming the continuing alignment between the EU and UK data protection frameworks "despite the recent changes in the UK legal framework", the EDPB urges the Commission to address certain points and continue effective monitoring.  In particular, the EDPB points to the powers of the Secretary of State to introduce secondary legislation in areas including data transfers and automated decision making, and to the different standards in these areas introduced by the UK's Data (Use and Access) Act.  The EDPB also raises potential concerns about the use of Technical Capability Notices requiring companies to circumvent encryption, and any further changes to the structure of the ICO and its corrective powers.

Notwithstanding these slight reservations, this is good news for EU-UK data transfers and smooths the path to seamless extension of the adequacy decisions.

ICO publishes consultation on new charitable purpose soft opt-in rules

On 16 October 2025, the ICO launched a consultation on its approach to the charitable purpose soft opt-in which will enable charities to send direct marketing emails and texts to people who have expressed interest or offered support without prior consent provided the organisations meet the necessary requirements. 

The change is expected to take effect in January 2026 under the Data (Use and Access) Act 2025 which will amend Regulation 22 of PECR to give charities the same soft opt-in rules as apply to businesses.  The change will exclude contacts gathered before commencement. Charities will need to continue to provide clear opt-outs at collection and in every communication.

The purpose of the consultation is to ensure guidance is clear and the ICO provides tips for charities on how to prepare for the changes, including updating privacy notices and keeping separate lists of those who have consented to marketing and those being targeted as a result of soft opt-in.

The ICO invites views by 27 November 2025.

Government highlights three cyber security actions for large businesses

On 14 October 2025, the government wrote to large businesses setting out three actions they should take to improve their cyber resilience:

• make cyber risk a Board-level priority using the Cyber Governance Code of Practice
• sign up to the National Cyber Security Centre's Early Warning service
• require Cyber Essentials in your supply chain.

The government also published a Cyber Action Toolkit for smaller businesses.

EDPB selects 2026 CEF topic on GDPR transparency obligations

On 14 October 2025, the EDPB announced  that its fifth co-ordinated enforcement action will focus on GDPR transparency and information duties (Articles 12 to 14).  The action will be launched over the course of 2026 and following opt-in from DPAs.

PSTIA amendment Regulations recognise Singapore and Japanese IoT labelling schemes

DSIT laid the draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) (No 2) Regulations 2025 for approval by both Houses of Parliament on 13 October 2025. The amendments modify the 2023 Regulations that implemented security requirements for manufacturers of relevant connectable products in the UK from 29 April 2024.  The security requirements are based on ETSI EN 303 645. 

The new draft Regulations provide that in-scope products can be made available in the UK if they hold a current Japanese JC-STAR STAR-1 conformance label or any valid level of Singapore’s Cybersecurity Labelling Scheme. Where these labels are current, manufacturers are treated as meeting Schedule 1 security requirements under the Product Security and Telecommunications Information Act 2023.

Apple's appeal against law enforcement access order dismissed

Apple's appeal against a government order to allowing it to access encrypted Apple data of UK users for law enforcement purposes has reportedly been dismissed.  The UK Investigatory Powers Tribunal is reported to have dismissed the appeal due to a "change in circumstances". It is unclear whether Apple will submit a further challenge.

News as of at 16 October

EC and EDPB joint guidelines on interplay between the DMA and the GDPR

On 9 October 2025, the European Commission and the European Data Protection Board endorsed joint guidelines on the interplay between the Digital Markets Act and the GDPR. The guidelines are open to consultation until 4 December 2025 after which the final version will be published. Issues covered include:

User choice and consent (particularly relevant to the 'pay or consent' debate) (Article 5(2) DMA)

Section 2.1 stresses that to fulfil the Article 5(2) DMA requirement for specific choice, gatekeepers need to offer an equivalent less personalised service rather than presenting a choice between consenting or not receiving the service. The less personalised service should not be different or of degraded quality compared to the service offered to consenting end users.

Section 2.2 discusses GDPR consent in the context of the DMA, again emphasising the need for granularity of consent with clearly specified processing purposes, saying: "where gatekeepers seek consent for processing personal data covered by Article 5(2) DMA for various purposes, they should provide a separate opt-in for each purpose to allow users to give specific consent for specific purposes. Purposes such as personalisation of content, personalisation of advertisements, and services development, are distinct purposes for which separate consents should be obtained if the gatekeeper wishes to combine or cross-use personal data in the manner described in Article 5(2) points (b) to (d) DMA".

Among other points relating to consent, the guidelines also stress that a decision not to consent which causes detriment will make the consent options invalid, and that an imbalance of power that may exist between controllers who are gatekeepers, including where the controller's position in the market means there is no realistic alternative to the service, will also affect the validity of the consent. They go on to address user friendly design and use of special data.

Distribution of apps and app stores (Article 6(4) DMA)

Article 6(4) DMA requires gatekeepers to enable third-party app and app store installation while allowing proportionate security measures. Gatekeepers must ensure DMA compliance doesn't undermine GDPR obligations, in particular data minimisation and vice versa. Gatekeepers and app developers are typically separate controllers; Article 6(4) doesn't establish joint controllership. Gatekeepers must not prescribe how third parties achieve GDPR compliance. 

Right to data portability of end users and authorised third parties (Article 6(9) DMA)

Article 6(9) DMA requires gatekeepers to provide free, effective portability of data provided by or generated through end user activity, including continuous real-time access. This complements GDPR Article 20 (going beyond GDPR requirements). The applicable basis is Article 6(1)(c) GDPR. Gatekeepers must enable device-to-device transfer without gaining further access, respecting data minimisation principles. Unlike Article 20 GDPR, Article 6(9) applies to others' personal data within datasets. Gatekeepers must ensure transparency through dashboards and provide tools for excluding others' data. Continuous real-time portability requires uninterrupted access via high-quality APIs. Gatekeepers cannot restrict use cases but must implement authentication procedures and secure transmission measures. For transfers to third countries without adequacy decisions, gatekeepers should seek explicit consent under Article 49(1)(a) GDPR.

Right to data access of business users and authorised third parties (Article 6(10) DMA)

Article 6(10) DMA requires gatekeepers to provide business users and authorised third parties with free, continuous, real-time access to aggregated and non-aggregated data, including personal data when directly connected with end users' use of business users' products/services and end user opt-in via consent. Recital 60 DMA clarifies third parties must act as processors under Article 28 GDPR contracts. Gatekeepers must enable access without gaining further access themselves, respecting data minimisation. The lawful ground is Article 6(1)(c) GDPR, triggered only when personal data is directly connected and business users obtain GDPR-compliant consent. Gatekeepers' core obligation is providing GDPR-compliant consent mechanisms. Gatekeepers should verify conditions and keep consent records but are not responsible for obtaining valid consent as that rests with business users.

Access to anonymised ranking, query, click and view data (Article 6(11) DMA)

Article 6(11) DMA requires gatekeepers to provide third-party search engine providers with FRAND access to ranking, query, click and view data, with personal data anonymised. Gatekeepers should select methods maximising data quality while ensuring effective anonymisation through appropriate technical measures

The guidelines also cover interoperability of number-independent communication services under Article 7 DMA, and regulator cooperation.

Read more about the guidelines here.

ICO does have jurisdiction in Clearview AI case

On 8 October 2025, the ICO reported that the Upper Tribunal upheld three of its four appeal grounds against the First-tier Tribunal in the Clearview AI case, confirming that Clearview’s processing relates to monitoring the behaviour of UK residents and falls within UK data protection law, even when Clearview services are supplied to foreign law enforcement or government agencies. 

In May 2022, the ICO fined Clearview £7.5 million and issued an enforcement notice in relation to the scraping of facial images of UK residents from the web and social media and uploading them into the Clearview database. The company both enables identification of people and also monitors their behaviour as part of its service offering.

Clearview appealed and the First-tier Tribunal held that the ICO did not have jurisdiction. The Upper Tribunal has now held the First-tier Tribunal had applied the law incorrectly in finding the processing outside the material scope of the UK GDPR under Article 2(1)(a).

The decision is legally binding and clarifies the material and territorial scope of the UK GDPR. It reaffirms that organisations monitoring UK residents’ behaviour are in scope irrespective of where they are established. The case is remitted to the First-tier Tribunal to determine the substantive appeal on the basis that the ICO had jurisdiction to issue the monetary penalty and enforcement notices. Clearview may seek permission to appeal. 

ICO issues £14 million fine to Capita for 2023 data breach

On 15 October 2025, the ICO issued a £14 million monetary penalty to Capita for a March 2023 cyber attack that stole nearly 1TB of data from 6.6 million people, impacting 325 pension schemes and other customers. Capita plc is fined £8 million and Capita Pension Solutions Limited £6 million.

The ICO found failures to ensure security of processing, including no administrative account tiering, a 58-hour delay in quarantining a compromised device despite a high-priority alert, lack of appropriately allocated staff, inadequate penetration testing and siloed risk remediation.

The ICO had initially proposed a £45 million fine but accepted a voluntary settlement after representations. Capita admitted liability and will not appeal. 

News as at 9 October 2025

Image sharing platform withdraws from the UK following ICO enforcement action

On 10 September 2025, the ICO issued a notice of intent to fine MediaLab AI Inc for data protection breaches relating to its social media platform Imgur. The ICO provisionally found that Imgur's use of children's personal data and its approach to age assurance were non-compliant. Imgur now directs UK users to a help page which tells them the site is not available in the UK. The ICO said on 30 September that this is a commercial decision by MediaLab AI and that it will consider any representations from the company before reaching a final decision on sanctions.

UK government renews efforts to access Apple encrypted cloud data

On 1 October 2025, the Financial Times reported that the UK government has renewed its efforts to require Apple to give it access to encrypted cloud backups of British users. The request is reportedly narrower in scope than the one made under a previous technical capability notice issued in January which asked for global access.

CJEU AG Opinion on GDPR limits to publishing athletes’ anti-doping sanctions online

On 25 September 2025, Advocate General Spielmann issued an Opinion in Case C-474/24 discussing whether Austrian rules requiring online publication of athletes’ names, sport, sanction duration and reasons for anti-doping infringements comply with the GDPR.

The AG considers that it is not necessary to publish athletes' names. Pseudonymised publication would achieve the objectives of deterring athletes from infringing anti-doping rules and preventing circumvention of those rules so publication should be limited to relevant bodies and sports federations. Publication should be proportionate in terms of scope and duration of availability. Controllers must conduct a case-by-case balancing exercise of different interests involved before processing. The Opinion is not binding and the CJEU judgment will follow.

Advocate General Opinion on whether an initial SAR can be excessive

On 18 September 2025, AG Szpunar handed down an Opinion in response to a reference from Germany relating to the abuse of subject access rights. The AG opined that an initial request for information under a subject access request can, in exceptional circumstances be considered excessive. However, the threshold for assuming an abuse of rights in an initial request is high. The AG said that the mere fact a person has made numerous previous requests does not make a request abusive. Nor does exercising the right to compensation. The issue is the underlying purpose of the individual's actions. If it can be proved that eg the data subject has consented to processing solely in order to submit an access request and claim compensation (as alleged in this case), then there will be an abuse of the subject access right. The Opinion is not binding and the CJEU judgment will follow. Read more about the Opinion here.

News as at 2 October 2025

Meta to introduce consent or pay in the UK for Facebook and Instagram

On 26 September 2025, Meta announced it will introduce a chargeable ad-free service on its Facebook and Instagram platforms in the UK. 

The ICO issued a statement welcoming the plan, saying this moves Meta away from relying on standard terms for targeted ads, which it considers non-compliant with UK law. The ICO expects Meta to assess user choices and the impact of the model, and to ensure ongoing compliance, transparency and freely given consent. The ICO will monitor the rollout and the wider use of consent or pay models across online markets.

Meta praised the ICO's engagement, comparing it favourably to the EU's approach which requires it to provide a 'middle ground' option between consent to advertising and paid services, where users receive a free service with ads based on more limited targeting. However, Meta significantly lowered the UK subscription starting price to about half the EU level as a result of the ICO's input. The cost will be £2.99 per month online and £3.99 per month via iOS or Android.

EDPS paper on Human Oversight of Automated Decision-Making

On 23 September 2025, the EDPS published a TechDispatch on Human Oversight of Automated Decision-Making (ADM). It looks at common assumptions about how humans interact with and monitor decision-making systems, including on the overly optimistic nature of many of them and the risks of not examining them critically. It also explores practical measures for providers and deployers of ADM systems to take to ensure human oversight supports democratic values and safeguards human rights. It does not offer legal interpretation. 

PCLOB finds compliance with EO 14086 safeguards

On 25 September 2025, the US Privacy and Civil Liberties Oversight Board published a report looking at the US Intelligence Community's compliance with Executive Order 14086 which provides enhanced safeguards in relation to processing of personal data by intelligence authorities. The report finds that appropriate policies, procedures, supplemental guidance and training were adopted by the Intelligence Community and found no instances of non-compliance. This is an essential component of maintaining the EU-US Data Privacy Framework.

Government confirms plans to introduce Digital IDs

On 26 September 2025, the UK government announced plans to introduce a Digital ID scheme. This will be available to all UK and legal residents who will be required to produce the ID for right to work checks by the end of this Parliament. There will be no requirement for individuals to carry their ID or to produce it (except in relation to right to work checks), but the ID will also be used to make it easier to access government services and streamline access to tax records. The digital ID will be held on people's phones. This is unrelated to the digital ID verification parts of the DUA Act.

Nineteen DPAs issue joint statement on trustworthy data governance for AI

On 17 September 2025, at the Global Privacy Assembly in Seoul, nineteen data protection authorities signed a Joint Statement on trustworthy data governance to support innovative and privacy-protecting AI.

The statement notes AI benefits and risks spanning privacy, discrimination, bias, disinformation and hallucination, and urges data protection by design, strong governance, risk management and regulation suited to complex processing.

The signatories committed to actions including clarifying legal bases for AI-driven data processing, sharing information and establishing appropriate security measures, monitoring technical and societal impacts of AI, reducing legal uncertainty while encouraging innovation, and cooperating with consumer, competition and IP authorities.

ICO fines energy firms for 'robo calls'

On 25 September 2025, the ICO confirmed fining two energy companies a total of £555,000 for making 'robo calls' using avatar software. This made calls leading recipients to think they were being made by real people. The ICO warned the public to be on their guard against the technology which is making it harder for people, particularly the elderly and vulnerable, to spot when they are not speaking to humans. The ICO lists things to look out for including slight pauses before responses, limited flexibility, identical voice or tone across calls, and lack of background noise or natural breaks.

News as at 25 September 2025

EC call for evidence on Digital Omnibus

On 16 September 2025, the European Commission published a call for evidence on the Digital Omnibus which is part of the Digital Package on Simplification.  The call builds on three previous calls and consultations on the Data Union Strategy, the review of the Cybersecurity Act, and the Apply AI Strategy.  The Digital Package on Simplification will propose immediate changes to the Digital Omnibus in an attempt to reduce the administrative and regulatory burden on businesses, particularly on small and mid-caps.  The EC will also, as announced in the Commission Work Programme for 2025, launch a Digital Fitness Check to stress-test the coherence and cumulative impact of the EU digital acquis governing the activity of businesses.

The Digital Omnibus will target problems and seek simplification in:

• The data acquis – (Data Governance Act, Free Flow of Non-Personal Data Regulation, Open Data Directive, and the ePrivacy Directive with reference to cookies in particular)
• Cyber security incident reporting obligations
• AI Act rules
• Electronic ID and trust services.

Specific objectives are:

• To reduce compliance costs in relation to access, use and sharing of data by reducing fragmentation of rules
• Reduce cookie consent fatigue and strengthen online privacy rights, as well as facilitating the use of cookies and other technologies for businesses and increasing data availability. The initiative will look at aligning more strongly with the GDPR
• Minimise the cost of reporting cyber and data incidents
• Ensure streamlined application of the AI Act
• Ensure trusted services operate in optimal conditions of legal certainty and reliability and that new proposals operate smoothly and simply with existing rules.

The call for evidence closes on 14 October 2025 and the Commission expects to adopt the Digital Omnibus by the end of 2025.

EC guidance on vehicle data and the Data Act

On 12 September 2025, the European Commission published a Communication providing guidance on the key Data Act obligations applying to vehicle data.  It covers data falling with in Chapter II of the Data Act ie data access and use rights of users of connected products and related services – in this case product data generated by a vehicle's use, and applicable access rules.  The guidance relates only to the automotive sector including original equipment manufacturers, suppliers, aftermarket service providers and insurance providers.  It cannot be extrapolated to other industries or the public sector.

South Korea recognises EU adequacy

On 16 September 2025, South Korea recognised the EU as having an equivalent data protection framework to its own allowing for frictionless transfers of personal data from South Korea to the EU. The EU recognised South Korea's regime as adequate in 2021.  This development makes the adequacy arrangement between the jurisdictions mutual.  It covers private and public sector data.

Cyber Security Growth Action Plan

On 19 September 2025, a government-commissioned independent report – the Cyber Security Growth Action Plan – was published by Bristol University and Imperial College London.  It aims to turbocharge growth, unlock jobs and support innovation.  The report makes a set of nine recommendations and 24 associated suggestions on how to implement the recommendations. These include an expanded role for the NCSC and the appointment of a UK cyber growth leader. The government will formally respond via the forthcoming National Cyber Strategy.

News as at 18 September 2025

Data Act now generally applicable 

The bulk of the EU Data Act is now applicable (as of 12 September 2025) although it will not apply in full until September 2027. The Data Act removes barriers to data sharing in order to give businesses access to data they contribute to creating and individuals more control over their data. Users of connected devices can access and share data they generate with third parties. The Data Act also facilitates cloud and edge service switching. Many Member States are yet to adopt the legislation required to set up their regulatory and enforcement frameworks. The legislation impacts manufacturers, service providers, data holders and processing providers globally, but users and data recipients must be in the EU. Google announced that it would be adopting the same measures in the UK as it has adopted to comply with the Data Act in the EU. For a reminder about the Data Act, check out our one-page summary. 

EDPB guidance on interplay of DSA and GDPR 

On 12 September 2025, the EDPB adopted guidelines on the interplay between the DSA and the GDPR for public consultation. The guidelines cover provisions of the DSA which relate to the GDPR including:

• Voluntary investigations and legal compliance relating to illegal content (Article 7) – processing must be conducted lawfully, fairly and transparently. The most likely lawful basis for processing personal data in relation to non-automated, own-initiative investigations is legitimate interests. In addition to adhering generally to the data protection principles, in-scope service providers, particularly VLOPs and VLOSEs should take care to ensure accuracy and prevent negative impacts from wrong or inaccurate results of monitoring. A DPIA is likely to be needed where monitoring which processes personal data is to be used.

• Notice and action systems that help individuals or entities report illegal content (Articles 16-17, 20 and 23) – only necessary personal data should be collected and a notification mechanism should allow for but not require the identity of the notifier (unless the information is necessary to determining whether the information is illegal content, in which case the notifier should be informed).

• Deceptive design patterns (Article 25) – the EDPB looks at Article 25(2) which states that the prohibition on deceptive design patterns under the DSA does not apply to practices that are covered by the GDPR or the Unfair Commercial Practices Directive. The guidance looks at how to identify when deceptive design is covered by the GDPR giving the example of when a non-business user is manipulated into providing more personal data than they would otherwise have done. 

• Recommender systems (Articles 27 and 38) – the EDPB says recommender systems raise concerns about accuracy and transparency and combining personal data as well as around risks associated with large-scale or special category data processing. The EDPB notes that it is even possible that presenting specific content to a user via a recommender system could constitute a decision within the meaning of Article 22(1) GDPR. The EDPB also underlines that providers of online platforms are required under s38 DSA to provide at least one option for their recommender system which is not based on profiling. The EDPB says options should be presented equally and should not nudge users to select options for recommender systems based on profiling. 

• Provisions relating to ensuring the privacy, safety and security of minors and prohibiting profile based advertising being presented to them (Article 28) – the EDPB recognises that Article 28(1) and (2) can constitute a legal basis for processing personal data under Article 6(1)(c) GDPR provided the processing is necessary and proportionate which is for the controller to demonstrate. The EDPB considers that providers of online platforms should avoid age assurance mechanisms that enable unambiguous identification of their users and should not permanently store the age or age range of the recipient of the service as a result of the age estimation or verification process.

• Transparency provisions for online advertising and prohibition of profile-based advertising using special category data (Article 26) - the EDPB points out that whereas information provided under Article 26 DSA can be provided after the processing of personal data may have occurred, transparency under the GDPR requires information about data processing to be given at the time personal data is obtained. The EDPB also notes that the prohibition on using special category data to target advertising applies even in situations where the controller has identified an Article 6 GDPR lawful basis and an Article 9 GDPR exception applies to the processing.

• Risk assessment and mitigation (Articles 34-35) – appropriate implementation of data minimisation and data protection by design and default may contribute to addressing systemic risks. If systemic risks are identified, a DPIA is likely to be required before data processing relating to mitigation can take place.

• Codes of conduct for online advertising (Articles 45-47) – the EDPB stresses the importance of clarifying the relationship between codes of conduct developed under the DSA and the GDPR, and of ensuring DPAs are involved in the former where appropriate.

The guidelines cover how the GDPR should be applied when complying with these elements of the DSA and also provide guidance on cross-border regulatory cooperation and enforcement along with some practical examples. They are open to comments until 31 October 2025.

More secondary legislation under DUA Act

Two further commencement regulations have been laid under the Data (Use and Access) Act 2025.

• The Data (Use and Access) Act 2025 (Commencement No.2) Regulations 2025 were made on 2 September 2025. They bring s124 DUA Act into force on 30 September to the extent that it was not already in force (part of it came in on the day of Royal Assent). S124 DUA Act amends the Online Safety Act. It means that online platforms must retain information about deceased children when required to do so on notice by Ofcom.

• The Data (Use and Access) Act 2025 (Commencement No.3 and Transitional and Saving Provisions) Regulations 2025. These were made on 4 September. They bring into force s79 (legal professional privilege exemption), s88 (national security exemption), s89 (joint processing by intelligence services and competent authorities) and s90 (joint processing consequential amendments) of the DUA Act subject to transitional and saving provisions. Sections 79 and 88 came into force on 4 September. Sections 89 and 90 come into force on 17 November 2025. These sections all deal with amendments to the Data Protection Act 2018 (not the UK GDPR) and relate to law enforcement and national security data processing.

EC to adopt adequacy decision with Brazil

On 5 September 2025, the EC announced a draft adequacy decision with Brazil.  Once concluded, it will allow for frictionless data transfers between the EU and Brazil without the need for additional measures.  The draft decision will be sent to the EDPB for its opinion, and to a committee of representatives of the EU Member States for approval.  The European Parliament has a right of scrutiny.

News as at 11 September 2025

CJEU ruling on nature of pseudonymised data

On 4 September 2025, the CJEU handed down a significant decision which clarified treatment of pseudonymised data. 

The CJEU overturned a General Court judgment which had annulled a decision of the EDPS in the case of EDPS v SRB (Case C-413/23 P).  The EDPS had responded to complaints that the EU Single Resolution Board (SRB) had shared creditor and shareholder comments on bankruptcy proceedings of a Spanish bank with accounting firm Deloitte without informing the individuals that such sharing might occur.  Despite the data being pseudonymised, the EDPS held that Deloitte had received personal data and that the SRB had failed to comply with applicable information requirements.  The SRB brought an action for annulment of the EDPS decision which was upheld by the General Court.  The EDPS appealed to the CJEU.

The most notable aspect of the case relates to clarification of when pseudonymised data is personal data, particularly in relation to data transferred to a third party by a controller.  On this issue, the CJEU in fact agreed with the General Court's analysis that pseudonymised data does not always constitute personal data, following existing case law.  The CJEU confirmed that where pseudonymisation effectively prevents parties other than the controller identifying the data subject, for example where technical and organisational measures are put in place to prevent attribution of data to a person, or where any reidentification is not reasonably likely due to legal prohibition or practical impossibility, or because it would require disproportionate effort, the data will not be personal data in the hands of the recipient.  This must be assessed on a case by case basis.

The CJEU also found that the General Court erred in law in holding that the EDPS should have examined whether data transferred by SRB to Deloitte constituted personal data from Deloitte's point of view when looking at whether SRB had complied with its information requirements.   It said case law makes clear that the relevant perspective for assessing the identifiable nature of the data subject depends, in essence, on the circumstances of the processing of the data in each individual case.  The identifiable nature of the data subject must be assessed at the time of collection of the data and from the point of view of the controller.  In this case, SRB as controller had the obligation to provide information to data subjects prior to the transfer of the data and irrespective of whether the data was personal data from Deloitte's perspective after pseudonymisation.

The applicable legislation in this case is Regulation 2018/1725 which covers the processing of personal data by EU institutions, rather than GDPR, but the decision also impacts the GDPR as the relevant provisions have GDPR equivalents.   The judgment confirms the shift that has taken place as case law has evolved, from pseudonymised data always being treated as personal data, to a more context-specific approach.  If, however, a controller intends to transfer pseudonymised  data to a third party, such that the data is no longer personal data in the recipient's hands, it must, nevertheless set this out in its privacy notice in order to comply with transparency requirements.

Google and Shein sanctioned by the CNIL

On 1 September 2025, the CNIL fined Google €325m for displaying ads and dropping cookies without consent when users create new accounts.  The CNIL looked at the Gmail messaging service and Google account creation processes between 2022 and 2023.  It found that Google displayed ads in the form of emails among the emails in the 'Promotions' and 'Social' tabs of the Gmail messaging service without required consents.  It also found that on creation of new accounts, Google steered users to choose cookies allowing targeted advertising and that users were not given clear information about advertising cookies which breached consent requirements.  As a result, the CNIL issued Google Ireland with a €125m find and Google LLC with a €200m fine.  Further daily penalties will be incurred if Google does not make changes.

At the same time, the CNIL fined SHEIN's Irish subsidiary, Infinite Styles Services Co. Limited, €150m Euros for failing to obtain consent before dropping cookies, breach of information requirements due to incomplete cookie banners and insufficient second-level information, and inadequate mechanisms for refusing and withdrawing consent.

Two days later, on 4 September 2025, a federal jury in San Francisco held that Google continued to track users and collect their data even after they had opted out of tracking.  It awarded damages in the class action claim of $425m.

ICO consultation on draft changes to complaints handling

On 22 August, the ICO opened a consultation on draft changes to how it handles data protection complaints.  The consultation sets out the ICO's proposed framework for deciding the extent to which it is appropriate for it to investigate complaints.  The framework is intended to ensure a consistent approach and the ability to focus resources on cases which can have the biggest impact. The consultation closes on 31 October 2025.

News as at 4 September 2025

ICO guidance on using profiling tools for online safety purposes

The ICO published new guidance on 30 July 2025 looking at data protection-compliant use of profiling tools. This is substantially aimed at user-to-user services using profiling tools to comply with age assurance obligations under the Online Safety Act but can also be used more widely by anyone using profiling tools as part of their trust and safety processes. The guidance should be read alongside the Content Moderation Guidance where relevant.

ICO guidance on secure disclosure of documents to the public

On 31 July 2025, the ICO published new guidance to help organisations disclose documents securely. This covers public authorities responding to FOI requests and organisations responding to DSARs. The guidance focuses on steps to prevent disclosure of hidden or not immediately visible information in documents, following high profile data breaches involving unintended disclosure of personal data by the Ministry of Defence and the Police Service of Northern Ireland.

ICO consultation on Data (Use and Access) Act amendments

On 21 August 2025, the ICO launched the first two in a series of planned consultations relating to draft guidance on amendments made to the UK GDPR by the Data Use and Access Act (DUA Act). 

Recognised legitimate interest

Recognised legitimate interest is the new lawful basis for processing personal data in the public interest as set out in Annex I of DUA Act. Currently the pre-approved purposes cover:

• Sharing with another organisation on request because they need the information for their public task or official functions
• To safeguard national or protect public security or for defence
• To respond to or deal with an emergency situation
• To prevent, detect or investigate crimes, including the apprehension and prosecution of offenders
• To protect the physical, mental or emotional wellbeing of people who need extra support or protect them from harm or neglect (safeguarding).

This list can be amended by the Secretary of State.

The main benefit of relying on one of these recognised legitimate interests is that there will be no need to carry out a Legitimate Interest Assessment. However, the use of the information must be necessary and must comply with all other legal requirements.

The draft guidance explains the difference between legitimate interests and recognised legitimate interests and how to assess which lawful basis is appropriate. It goes on to look at each pre-approved legitimate interest in more detail.

The consultation closes on 30 October 2025.

Data protection complaints

The ICO has published draft guidance on data protection complaints and the new requirement for all organisations to have a process in place to handle them by June 2026. In particular, organisations must provide a method for submitting complaints and ensure they acknowledge receipt within 30 days. They must also take appropriate steps to respond to complaints without undue delay and keep complainants up to date with the process and inform them without undue delay of the outcome. 

The draft guidance sets out suggestions for how to give effect to the new requirements, with a particular focus on complaints made by children.

The consultation closes on 19 October 2025.

ICO consultation on DLT guidance

On 28 August 2025, the ICO published a consultation on draft guidance on distributed ledger technology (DLT). The guidance mostly refers to blockchain but is applicable to all DLTs. 

The draft guidance covers the type of personal data which may be present on a blockchain and identifies key issues, including the difficulty of identifying controllers and processors, and challenges around data rectification. It stresses the importance of privacy by design and default, carrying out a DPIA before processing, and using PETs to mitigate risk, particularly zero-knowledge proofs, homomorphic encryption and differential privacy.

The consultation is in the form of a 15 minute survey. It closes on 17 November 2025.

First DUA Act commencement Regulations now in force

The Data (Use and Access) Act (Commencement No.1) Regulations 2025 came into force on 20 August 2025. They bring into force a number of DUA Act provisions (to the extent they are not already in force by virtue of s142(2) of the DUA Act) as follows:

• (a ) Part 1 (access to customer data and business data in relation to smart data schemes)
• (b ) section 72 (processing in reliance on relevant international law), except:
• (i) subsection (3), and
• (ii) subsection (7), to the extent that it refers to Article 8A(3)(e) in the insertion of section 9A (processing in reliance on relevant international law) in the Data Protection Act 2018
• (c) section 74 (processing of special categories of personal data)
• (d) section 84 (law enforcement processing and codes of conduct)
• (e ) section 91 (duties of the Commissioner in carrying out functions)
• (f) section 92 (codes of practice for the processing of personal data)
• (g) section 93 (codes of practice: panels and impact assessments)
• (h)section 95 (analysis of performance)
• (i) section 102 (annual report on regulatory action)
• (j) section 104 (court procedure in connection with subject access requests)
• (k) section 106 (protection of prohibitions, restrictions and data subject’s rights)
• (l) section 107 (regulations under the UK GDPR)
• (m) section 108 (further minor provision about data protection)
• (n) section 109 (the PEC Regulations)
• (o) section 110 (interpretation of the PEC Regulations), except subsection (2)(a) and (b) and subsection (3)
• (p) section 111 (duty to notify the Commissioner of personal data breach: time periods)
• (q) section 113 (emergency alerts: interpretation of time periods)
• (r) section 117 (the Information Commission), except subsection (4)(a)
• (s) section 125 (information for research about online safety matters)
• (t) section 129 (the eIDAS Regulation)
• (u) section 134 (time periods: the eIDAS Regulation and the EITSET Regulations)
• (v) section 135 (economic impact assessment)
• (w) section 136 (report on the use of copyright works in the development of AI systems)
• (x) section 137 (progress statement)
• (y) Schedule 11 (further minor provision about data protection), except paragraphs 22, 23, 25, 28, 29, 30, 31 and 32
• (z) Schedule 14 (the Information Commission).

Latombe challenge to EU-US DPF dismissed

On 3 September 2025, the EU General Court dismissed French MEP Philippe Latombe's private action to annul the EU-US Data Privacy Framework.  The General Court confirmed that on the date of application of the Executive Order in question, the USA provided an adequate level of data protection for EU personal data.  Latombe has been arguing that the DPF does not comply with the GDPR as there is no adequate protection of EU data in the USA due to potential access by the intelligence authorities.  He also claimed that the Data Protection Review Court was neither impartial nor independent as it was dependent on the Executive.  The General Court denied his application to suspend the DPF in 2023 in which he argued he would suffer serious harm in the event of it continuing.  The General Court has now dismissed the action in its entirety.
 
While there were fears that President Trump might revoke the Executive Order underpinning the DPF and the Data Protection Review Court, the framework remains in place, and in May 2025, the Data Protection Review Court published rules of procedure in an effort to protect its independence and continuing operation.   The General Court said that there were safeguards in place to protect the independence of the Court and also cited the ability of the Commission to suspend the DPF as an additional protection for EU data.  Finally, the Court said that the collection of bulk personal data by US intelligence authorities does meet the Schrems II requirements in as much as it is subject to ex post judicial oversight.

The General Court's decision will come as a relief to those who have ridden the Schrems rollercoaster and who rely on the DPF to transfer personal data from the EU to the US.  Permission to appeal limited to points of law has, however, been given.

UK reportedly drops attempt to access Apple user data

On 16 August 2025, the US Director of National Intelligence said that the UK had abandoned efforts to require Apple to give it 'backdoor' access to user data under the Investigatory Powers Act. Apple had removed its Advanced Data Protection product from the UK as a result of the government's Technical Capability Notice but appealed to the Investigatory Powers Tribunal to challenge the notice. The BBC reports that the court documents showed the scope of the Technical Capability Notice was wider than had previously been thought, however, the government appears to have backed down.

Austrian court dismisses pay-or-consent appeal

In 2023, the Austrian DPA held that the pay-or-consent model introduced by newspaper Der Standard was unlawful as it only provided a binary choice between global consent or a monthly subscription. The paper appealed the decision, arguing it was not practical to implement a granular consent model. The Austrian Federal Court has now dismissed the appeal but allowed a further appeal to the Supreme Administrative Court, making it likely the case will eventually reach the CJEU.

Court of Appeal clarifies rules on claims for non-material damage under the UK GDPR

On 22 August 2025, the Court of Appeal handed down judgment in the case of Farley & Ors v Paymaster (1836) Ltd (trading as Equiniti) [2025] EWCA Civ 1117.  The judgment is significant as it clarifies issues around claims for non-material damages under the UK GDPR. 

The Court allowed an appeal against an order striking out the majority of individual claims in a collective action relating to a data breach in which the defendant sent pension statements of around 750 police officers to their former residential addresses.  The High Court struck out all but 14 of 474 claims on the basis that there was no evidence that the envelopes had been opened and the contents disclosed.

The appeal focused on compensation for data breaches (although the Court found that the lower court had erred in its assessment that there was no relevant processing of personal data where the contents of the letters had not been read).  The main substance of the appeal related to whether claims for compensation for data breaches under the UK GDPR had to pass the threshold of seriousness set out in the Lloyd v Google case which was concerned with the Data Protection Act 1998. In sending back the case to the High Court, the Court of Appeal asks it to reconsider the issue of whether fears of disclosure were well founded and whether any compensation is due as a result. The Court of Appeal said that losing control over personal data might give rise to a claim for damages if the claimants could demonstrate an objectively well-founded fear that their data could have been misused rather than one that was merely hypothetical or speculative.  However, the Lloyd v Google case threshold of seriousness did not apply to UK GDPR claims and the Court said the UK should follow the CJEU's approach as set out in the 2023 Österreichische Post case in which it was held that there was no threshold of seriousness to be passed in relation to non-material damages claims for breaches of the GDPR. 

The Court of Appeal is not required to follow post-Brexit CJEU case law but may choose to do so under certain circumstances.  While clarification of the application of the seriousness threshold (or not) to UK GDPR claims is helpful, it does not open the floodgates to opt-out representative actions in data claims as it does not overcome the difficulty of demonstrating that all claimants have the same interest.

ICO finalises encryption guidance

On 2 September 2025, the UK ICO published its final guidance on encryption following consultation.  The guidance explains how UK data protection law applies when using encryption and how to apply encryption in practice.  It is aimed at DPOs and those with specific data protection responsibilities in any size of organisation who are implementing encryption – whether as a controller or processor.  It does not cover end-to-end encryption, PETs, encryption and ransomware or the impact of quantum computing.  It focuses in particular on encryption in the context of data storage and data transfers.

News as at 29 July 2025 

First DUA Act Commencement Regulations

The Data (Use and Access) Act (Commencement No.1) Regulations 2025 were made on 21 July 2025. They bring into force a number of DUA Act provisions on 20 August 2025 (to the extent they are not already in force by virtue of s142(2) of the DUA Act) as follows:

• Part 1 (access to customer data and business data in relation to smart data schemes)
• section 72 (processing in reliance on relevant international law), except subsection (3), and subsection (7), to the extent that it refers to Article 8A(3)(e) in the insertion of section 9A (processing in reliance on relevant international law) in the Data Protection Act 2018
• section 74 (processing of special categories of personal data)
• section 84 (law enforcement processing and codes of conduct)
• section 91 (duties of the Commissioner in carrying out functions)
• section 92 (codes of practice for the processing of personal data)
• section 93 (codes of practice: panels and impact assessments)
• section 95 (analysis of performance)
• section 102 (annual report on regulatory action)
• section 104 (court procedure in connection with subject access requests)
• section 106 (protection of prohibitions, restrictions and data subject’s rights)
• section 107 (regulations under the UK GDPR)
• section 108 (further minor provision about data protection)
• section 109 (the PEC Regulations)
• section 110 (interpretation of the PEC Regulations), except subsection (2)(a) and (b) and subsection (3)
• section 111 (duty to notify the Commissioner of personal data breach: time periods)
• section 113 (emergency alerts: interpretation of time periods)
• section 117 (the Information Commission), except subsection (4)(a)
• section 125 (information for research about online safety matters)
• section 129 (the eIDAS Regulation)
• section 134 (time periods: the eIDAS Regulation and the EITSET Regulations)
• section 135 (economic impact assessment)
• section 136 (report on the use of copyright works in the development of AI systems)
• section 137 (progress statement)
• Schedule 11 (further minor provision about data protection), except paragraphs 22, 23, 25, 28, 29, 30, 31 and 32
• Schedule 14 (the Information Commission).

The government also announced its plans for full implementation of the DUA Act as follows:

• Stage 1 – technical provisions clarifying aspects of the legal framework and measures requiring the government to publish an impact assessment, report and progress update on AI and copyright issues (covered by the Regulations above)
• Stage 2 – three to four months after Royal Assent, most of the measures on digital verification services in Part 2 of the Act and measures in Part 7 on retention of information by providers of internet services in connection with the death of a child
• Stage 3 – approximately six months after Royal Assent, the main changes to data protection legislation in Part 5 and the provisions on information standards for health and adult social care in England (Part 7).
• Stage 4 – provisions that require a longer lead time including measures on the National Underground Register and the electronic system of registering births and deaths. 

Changes to the Information commissioner's Office governance structures in Part 6 will be brought in once the Information Commission's new Board has been appointed. This is expected in early 2026.

Part 1 of the DUA Act covers access to customer and business data and (to the extent not already in force) is being brought in under the No.1 Commencement Regulations. Essentially it confers various powers on the Secretary of State to make secondary legislation in connection with sharing of business and customer data, and smart data schemes, (with similar objectives to the EU's Data Act). The government launched a call for evidence on Smart Data opportunities in digital markets on 28 July 2025. The call seeks views on whether and how to introduce a Smart Data scheme. The government envisages this could cover a wide range of platforms including e-commerce sites, subscription services, and online marketplaces. It is looking to reduce barriers to data sharing and switching and unlock data portability to enhance competition and benefit consumers. The call closes on 15 September 2025.

EC launches process to adopt new EU-UK adequacy decisions

On 22 July 2025, the EC announced it had launched the process to adopt new adequacy decisions to allow the free flow of personal data between the EEA and UK. The Commission has concluded that the UK's legal framework (including the Data (Use and Access) Act) continues to provide data protection safeguards essentially equivalent to those in the EU. The draft decisions will now go to the EDPB for its opinion and approval will be sought from a committee composed of EU Member State representatives. The European Parliament also has a right of scrutiny (although not a veto).

UK government response to ransomware consultation

On 22 July 2025, the government published its response to the feedback on its consultation on ransomware legislative proposals. In its consultation the government proposed:

• A targeted ban on ransomware payments for owners and operators of regulated-critical national infrastructure and the public sector – there was majority support for this among respondents
• A ransomware payment prevention regime – support for this was mixed but overall, the first proposed measure involving an economy-wide payment prevention regime for any organisations and individuals not covered by the targeted regime, was narrowly preferred to the option of instigating a threshold approach or excluding individuals
• A mandatory incident reporting regime – this also gained majority support.

As a result, the government will proceed with all three legislative proposals and it plans to clarify scope in guidance. In response to some of the feedback, it will also consider the best approach to penalties, in particular, for supply chains.

CNIL guidance on application of GDPR to AI

On 22 July 2025, the French DPA, the CNIL, published its recommendations on the development of AI systems to clarify GDPR applicability, security requirements and conditions for training data. While they are applicable only in France, they may be useful especially when considered in conjunction with the October 2024 EDPB Opinion on the GDPR and responsible AI.

EC publishes AI Act template for summary of GPAI model training content

On 24 July 2025, the EC published a template which aims to provide a common minimal baseline for the information to be made publicly available in the Summary of Training Content for GPAI models under the AI Act. The template is divided into three sections comprising:

• General information about the model
• A list of data sources covering the main training data sets and a description of data obtained by scraping or using web crawlers – providers must list the top 10% by volume of content scraped. SMEs must list the top 5% or 1000 domain names, whichever is lower
• Data processing – including whether the provider has signed up to the GPAI Model Code of Practice and what measures they have taken with respect to compliance with the Copyright Directive and the TDM exemption. 

The template sits alongside the GPAI Model Code of Practice and GPAI Model Guidelines.

White House publishes AI Action Plan and AI Executive Orders

On 23 July 2025, The US White House published its AI Action Plan and three Executive Orders relating to AI covering:

• Preventing Woke AI in the Federal Government
• Accelerating Federal Permitting of Data Center Infrastructure
• Promoting the Export of the American AI Technology Stack.

Unsurprisingly, the focus of the AI Action Plan is around the three pillars of accelerating innovation, building AI infrastructure and leading in international diplomacy and security. The Action Plan is "America's roadmap to win the race". As such, there is a lot on removing red tape and enabling the US to be the global leader in AI, as well as on harnessing AI for national security, critical infrastructure and other applications. Conspicuous by their absence are references to safe development and use of AI, ethical considerations, copyright and data protection, and legislative initiatives. 

News as at 23 July 2025

ICO consults prior to update of transfer guidance

On 26 June 2025, the ICO published a Call for Views on its current international transfers guidance. The ICO asks for input as to which aspects of the guidance are most helpful, which are difficult to understand or hard to apply, and what additional tools or guidance products would make international transfers easier, quicker or less complex. The consultation is open until the end of 7 August 2025. The ICO may publish a summary of responses prior to using the information gathered to update its transfers guidance in light of the new Data (Use and Access) Act.

ENISA NIS2 technical guidance

On 26 June 2025, ENISA published voluntary technical guidance to support Member States and in-scope entities in implementing the technical and methodological requirements for cyber security risk management measures applying to critical entities under the NIS2 Directive. This includes cloud service providers, data centre service providers, online marketplaces, online search engines, social network platforms and trust service providers. ENISA stresses the guidance is not legally binding and is not intended to replace frameworks, guidance or tools provided at Member State level.

EDPB adopts statement on enhanced clarity, support and engagement

On 2 July 2025, the EDPB adopted the 'Helsinki Statement' on enhanced clarity, support and engagement. This sets out new initiatives agreed by the EDPB to facilitate easier GDPR compliance, enhance dialogue with a broad range of stakeholders, strengthen consistency and develop cross-regulatory cooperation in the digital landscape. The EDPB noted the importance of providing timely and suitable guidance and said there would be an emphasis on assisting SMEs with GDPR compliance. It will also focus on providing templates, early engagement, consistent enforcement and cross-regulatory cooperation.

ICO consultation on draft updated guidance on storage and access technologies

On 7 July 2025, the ICO launched a consultation on a new chapter in the draft updated guidance on storage and access technologies (SATs), previously known as the 'detailed cookies guidance'. The guidance has been updated to take account of the DUA Act. The ICO has also launched a call for views on its approach to regulating online advertising, specifically in relation to the consent requirements under Regulation 6 of PECR. This looks at whether a risk-based approach to enforcing PECR could allow publishers to deliver online advertising to users who have not given consent where there is a low risk to privacy. The ICO stresses that certain types of online advertising will always require consent, for example, where extensive profiling based on online activity takes place. It also underlines that the review does not change the ICO's views on UK GDPR compliance requirements or current potentially harmful practices. It will continue to enforce consent requirements for collecting personal information for ad targeting and personalisation. The consultations close on 29 August 2025. Responses will inform the ICO's final guidance and a formal statement on its enforcement approach, expected in early 2026.

EDPB and EDPS Opinion on Omnibus IV proposal

On 9 July 2025, the EDPB and EDPS published a joint Opinion on the data-related aspects of the Omnibus IV proposal. This consists chiefly of extending the SME exemption from Article 30(5) record-keeping obligations to organisations employing fewer than 750 people unless the processing is high risk. The proposal also extends the scope of Articles 40(1) and 42(1) and introduces definitions of SMEs and SMCs into Article 4 GDPR. The EDPB and EDPS are generally supportive but make a number of suggestions on clarity and emphasis.

DRCF article on ICO and FCA insights on open finance and smart data

On 17 July 2025, the DRCF published an article by the ICO and FCA looking at technologies shaping the future of open finance. It focuses on APIs, AI, DLTs, smart contracts and digital identity verification. It looks at issues including control over consumer and business data, trust in new products and services, positive consumer outcomes, and data protection compliance including relating to lawful basis, data minimisation and transparency. 

Data breach disclosed details of 18,000 Afghans seeking relocation

Details came to light in mid-July of a 2022 data breach by the MoD in which excerpts of a spreadsheet relating to applicants for its Afghan Relocations and Assistance Policy were shared online. While it was initially thought that the data related to a small number of applicants, in fact the spreadsheet contained hidden data relating to 18,000 people which became available online. The MoD reported the breach to the ICO within the required 72 hours of becoming aware of it in 2023, but an injunction prevented knowledge of the breach entering the public domain.

The ICO made a statement on 15 July and wrote a blog on 17 July setting out its thinking on whether or not to take further action. In this instance, the breach occurred due to the emailing of a spreadsheet containing hidden data that was not evident to the individual sending it. The sender thought they were sending a small amount of data to an external party for a legitimate reason. The ICO said it had already taken action against the MoD for poor handling of sensitive information in relation to the evacuation from Afghanistan and had worked closely with the MoD to mitigate risks associated with this breach, as well as improve data protection practices at considerable public expense. It has decided there is little to be gained by further pursuing this incident.

EC adequacy decision for European Patent Organisation

On 15 July 2025, the EC confirmed that the European Patent Organisation provides a level of data protection equivalent to that provided by the EU. This is the first time the EU has adopted an adequacy decision relating to an international organisation. The adequacy decision allows for frictionless transfers of personal data between the EU and the European Patent Organisation.

ICO announces registered trade mark for owners of ICO certification schemes

On 2 July 2025, the ICO announced its first registered trade mark for users of owners of ICO-approved and published UK GDPR schemes. The trade marks act as a visible signal to inspire trust.

News as at 2 July 2025

EC formally adopts extension of EU-UK adequacy decision

As expected, the European Commission formally adopted a six-month technical extension of the EU-UK adequacy agreement on 24 June 2025. This extends the agreement to 27 December 2025, allowing the EC to assess the impact of the Data (Use and Access) Act 2025 on data transfers from the EU.

UK government publishes range of factsheets on new data legislation

The government has published a range of factsheets on the Data (Use and Access) Act 2025. They set out the main changes to the UK GDPR and PECR, and to the role of the ICO.

EC suggests Meta's 'consent and pay' measures do not go far enough

An EC spokesperson has suggested changes made by Meta to its 'pay or consent' model may not go far enough to comply with the Digital Markets Act. Meta has introduced a third option which allows a free service in return for advertising which uses limited personal data for targeting.

EC publishes EU Space Act proposal

On 25 June 2025, the European Commission published its proposal for an EU Space Act. The aim is to harmonise a currently fragmented regime to ensure safety, resilience and environmental responsibility, while helping companies scale up across borders. The Act aims to cut red tape, protect space assets and create a fair, predictable playing field for businesses. It is based on three pillars:

• Safety – rules for tracking space objects and limiting debris.
• Resilience – tailored cyber security requirements to strengthen protection of European space infrastructure and ensure business continuity. Space infrastructures are at growing risk from cyber attacks and electronic interference. The Space Act will require all space operators to conduct risk assessments throughout a satellite's lifecycle, apply cyber security rules and report incidents.
• Sustainability – operators will need to assess and reduce the environmental impact of their activities, for example by carrying out in-space servicing to reduce debris and extend the lifecycle of satellites.

The Commission also presented a Vision for the European Space Economy to address international competition and geopolitical tensions. It will implement the actions set out in cooperation with EU Member States, the EU Agency for the Space Programme, the European Space Agency, and industry. The Commission will also establish a Space Team Europe – a high level forum bringing space ecosystem stakeholders together. 

News as at 25 June 2025

Data (Use and Access) Act 2025 gets Royal Assent

The Data (Use and Access) Bill (now the Data Use and Access Act 2025) received Royal Assent on 19 June 2025.  The majority of the DUA Act will be brought in by secondary legislation however:

The following sections are now in force:

• s66 (meaning of “the 2018 Act” and “the UK GDPR”)
• s78 (searches in response to data subjects’ requests)
• Part 1 of Schedule 16 (grant of smart meter communication licences) and section 122 so far as relating to that Part of that Schedule
• s126 (retention of biometric data and recordable offences)
• s128 (retention of pseudonymised biometric data)
• s129 (retention of biometric data from INTERPOL)
• Part 8
• any other provision which confers the power to make secondary legislation.

The following provisions come into force at the end of the period of two months (19 August 2025)

• s69 (consent to law enforcement processing)

• s82 (logging of law enforcement processing)
• s96 (notices from the Information Commissioner)
• s97 (power of the Information Commissioner to require documents).

Part 2 of Schedule 16 (grant of smart meter communication licences), and s122 so far as relating to that Part of that Schedule, come into force on the day on which the first regulations under s91A(1) of the Energy Act 2008 (inserted by 1 of Schedule 16) come into force.

The ICO currently expects some provisions (which we anticipate will cover changes to the UK GDPR and PECR) to come in within six months, and the remainder to be introduced within a year.

See more here.

16bn passwords reportedly exposed

Cybernews reported it had exposed a data breach involving the brief exposure of 16bn passwords on the internet.  The records are spread across 30 databases and include recent data, most likely from a variety of 'infostealer' malware attacks, credential stuffing sets as well as recycled data.  There is some overlap across datasets although it is unclear how much.

OECD report on sharing AI tools with PETs

On 17 June 2025, the OECD published a report on Sharing trustworthy AI models with privacy-enhancing technologies (PETs).  The report says PETs are critical tools for building trust in the development and sharing of AI while protecting privacy, IP and sensitive information. The report identifies two key use cases: enhancing performance of AI through confidential and minimal use of input data with technologies like trusted execution environments, federated learning and secure multi-party computation.  The second is enabling confidential co-creation and sharing of AI models using tools like differential privacy, trusted execution environments and homomorphic encryption.  The OECD cautions that while combining PETs can be helpful, balancing utility, efficiency and usability remains challenging.  Governments and regulators have a role to play in encouraging PET adoption through guidance, sandboxes and R&D support.

News as at 19 June 2025

23andMe fined £2.31m by ICO

On 17 June 2025, the UK's ICO announced it had fined genetic testing company 23andMe £2.31m for failure to implement appropriate security measures to protect the information of UK users. The fine is the result of a joint investigation by the ICO and Canada's Privacy Commissioner into 23andMe's cyber security following a credential stuffing attack between April and September 2023 during which personal data (including special category data) of 155,592 UK individuals was accessed. 

The investigation found that 23andMe did not have appropriate authentication and verification measures, failed to implement appropriate controls over access to raw genetic data, and did not have effective systems in place to monitor, detect or respond to cyber threats. The response to the incident was inadequate. 23andMe dismissed a claim of data theft as a hoax despite having identified unauthorised activity, and an investigation was only begun later once the data was advertised for sale on Reddit. By the end of 2024, 23andMe had made security improvements which were sufficient to bring an end to the identified breaches.

The company filed for bankruptcy in March 2025 and is looking for a buyer.

Political agreement reached on GDPR Procedural Regulation

On 16 June 2025, political agreement was reached on the GDPR Procedural Regulation. The draft Regulation is intended to speed up cross-border enforcement of the GDPR. In particular, it will streamline administrative procedures and improve cooperation between national regulators, including by harmonising requirements for admissibility of cross-border actions. It will introduce deadlines for investigations and an early resolution mechanism which will allow DPAs to resolve a case before involving other DPAs under certain circumstances. The draft Regulation now needs to be formally adopted by the EU Council and Parliament before signature and publication in the Official Journal. 

ICO guidance on IoT data

On 16 June 2025, the ICO published draft guidance for consultation on Internet of Things products and services. This is intended to give the industry regulatory certainty, outlining clear expectations about how to comply with data protection law and use personal data responsibly. The guidance covers issues including how to ask for informed consent, transparency, and the tools needed for people to be able to exercise their data rights. It also looks at accountability, data accuracy and retention, and security.

UK government announces Cyber Growth Action Plan 2025

On 18 June 2025, the UK government announced a Cyber Growth Action Plan 2025 and £16m in funding for cyber sector programmes to kickstart growth.

Terms of reference have been published for the Cyber Growth Action Plan that will chart a course for the UK's cyber industry. The Plan will be led by the University of Bristol and Imperial College's Centre for Sectoral Economic Performance. It will examine the strengths of the UK's cyber sector and provide a roadmap for growth with recommendations for the government to be set out in the summer. 

The government also announced up to £10m of additional funding for the CyberASAP programme over the next four years. This will support the UK's academic cyber security sector to turn their research into commercial companies. Up to £6m will be allocated to the Cyber Runway to help support cyber startups and SMEs in scaling and accessing new markets.

EDPB training curriculum on AI and data protection

On 5 June 2025, the EDPB published a training curriculum on AI and data protection covering law and compliance in AI security and data protection. The training is designed for DPOs and is intended to provide a comprehensive foundation on legal compliance issues, including by providing case studies focused on GDPR, the AI Act, the Data Act and other relevant EU legislation. Eventually there will be a modifiable community version available.

Meta to introduce ads to WhatsApp Updates tab

On 16 June 2025, Meta announced it will begin showing ads in the Updates tab of WhatsApp but not in personal chats. Ads will be targeted based on information including age, country or city of location, languages being used, the channels people are following in the app, and their interactions with ads including ad preferences set in the Accounts Center and relating to other Meta accounts where WhatsApp has been added. Channels will also be able to charge a monthly subscription fee for exclusive updates, and businesses will be able to promote their channels. There will be no change to the chat functionality where chats will remain end-to-end encrypted and will not be used for ad targeting purposes. This will be rolled out in the next several months.

IPA Codes of Practice published

On 6 June 2025, the government published three Codes of Practice relating to aspects of the Investigatory Powers Act:

• third party personal datasets
• bulk personal datasets with low or no reasonable expectation of privacy
• investigatory Powers Act notices regime.

Updates of other Codes are now in force.

News as at 12 June 2025

Ping pong ends in government win – UK's Data (Use and Access) Bill passed

On 11 June 2025, the Data (Use and Access) Bill was passed by Parliament and now awaits Royal Assent. The new data legislation has been a long time coming as a version was originally proposed by the Conservative government but the legislation failed as a result of the general election. Passage of Labour's Data (Use and Access) Bill had been relatively smooth until the House of Lords began introducing successive amendments relating not to data but to the use of copyright materials to train AI. Amendments to require transparency provisions, either in the Bill itself or under separate legislation, ultimately failed. The Lords were, however, able to get the government to agree to publish a report on its copyright and AI proposals, including on enforcement and AI models trained abroad, within nine months of the DUA Bill getting Royal Assent, with an interim report to be published within six months.

As for the rest of the Bill, it has not changed significantly since its introduction. It amends the UK GDPR and PECR, provides a framework for sharing of business and customer data, and for digital identity verification. Read more.

ICO launches AI and biometrics strategy

On 5 June 2025, the ICO published its new AI and biometrics strategy which aims to ensure organisations are developing and deploying new technologies lawfully, and supporting them to innovate while ensuring the public is protected. The two main challenges are identified as a lack of regulatory certainty and of confidence for organisations, and a lack of transparency and confidence in how personal data is used which undermines public trust.

The ICO says it will:

Give organisations certainty on how they can use AI and ADM responsibly under data protection law by:

• consulting on an update to its ADM (automated decision-making) and profiling guidance by autumn 2025 to reflect the Data (Use and Access) Bill
• developing a statutory code of practice on AI and ADM.

Ensure high standards of ADM in central government, ensuring decisions affecting people are fair and accountable by:

• learning from early adopters of ADM and communicate findings
• setting out regulatory expectations.

Set clear expectations for responsible use of ADM in recruitment by:

• scrutinising use of ADM in recruitment by major employers and recruitment platforms, identifying risks related to transparency, discrimination and redress
• publishing findings and regulatory expectations, holding non-compliant employers to account.

Scrutinise foundation model developers to ensure they are protecting people's information and preventing harm by:

• securing assurances from developers that personal information in model training is used appropriately
• setting clear regulatory expectations to strengthen compliance and taking action if unlawful model training causes risk or harm.

Support and ensure proportional and rights-respecting use of FRT by the police by:

• publishing guidance for police forces on lawful use of FRT and organisational and technical measures to minimise risk
• auditing police forces using FRT and publishing findings
• providing expert advice to government on proposed changes to the law, ensuring any future use of FRT remains proportionate and publicly trusted.

Anticipate and act on emerging AI risks by:

• engaging with industry to assess the data protection elements of agentic AI and publishing a report examining issues such as accountability and redress prior to a consultation on emerging data protection challenges
• setting a high bar for lawful use of AI systems that infer subjective traits, intentions or emotions based on physical or behavioural characteristics, looking at use cases and taking action where systems may cause harm or infringe people's rights.

Civil society organisations urge EC to look at UK adequacy

On 4 June 2025, EU civil society organisations including Open Rights Group and European Digital Rights, sent an open letter to EU Justice Commissioner McGrath, warning that the UK was preparing to diverge from GDPR and Law Enforcement Directive Standards under the Data (Use and Access) Bill. The groups suggest this means the EC should re-evaluate its UK adequacy decision, arguing that the DUA Bill represents " a systematic weakening of privacy and data protection standards". They cite a number of specific provisions including delegated legislative powers in relation to data transfers and special category processing, and raise questions over the independence of the ICO. The letter also mentions other legislation including the Investigatory Powers Act and the use of Technical Capability Notices to undermine encryption, as well as what it calls unregulated use of live facial recognition technology in the UK.

The EU recently extended the UK adequacy decision to the end of 2025, in order to allow it to evaluate the impact of the DUA Bill on UK data protection.

NCSC Cyber security culture principles

On 4 June 2025, the NCSC published Cyber security culture principles which provide six suggestions as to how to create the right cultural conditions in an organisation to support and encourage people to carry out the desired cyber security behaviours, alongside some practical examples. 

ICO and FCA joint blog on responsible AI use

On 2 June 2025, the ICO and FCA published a joint blog setting out what they are doing together and separately to support responsible AI use while protecting consumers and fostering innovation. It looks at areas of collaboration, including under the DRCF, and points to applicable guidance.

EDPB adopts final version of guidelines on transfers to third country authorities

On 5 June 2025, the EDPB published the final version of its updated guidelines on transfers to third country authorities following a public consultation. The guidance focuses on Article 48 GDPR and clarifies how organisations can best assess under which conditions they can lawfully respond to requests for a transfer of personal data from third country authorities. The EDPB reminds organisations that judgments and decisions from third country authorities cannot automatically be recognised or enforced in Europe unless there is an international agreement to that effect providing both a legal basis and a ground for transfer. Where there is no such agreement, requests need to be considered on a case by case basis. The updated guidelines aim to add clarity and cover additional situations.

News as at 4 June 2025

Pass or fail? – DUA Bill enters final stages

Passage of Labour's Data (Use and Access) Bill had been relatively smooth until the House of Lords began introducing successive amendments relating not to data but to the use of copyright materials to train AI. Successive amendments to require transparency provisions, either in the Bill itself or under separate legislation were tabled and then overturned. The Lords have now re-introduced for the second time, an amendment requiring the government to publish legislation covering transparency around use of copyright materials in AI models and output three months after reports on the issue are published. These reports have to be published within a year of the DUA Bill getting Royal Assent further to earlier amendments to the DUA Bill. Because this amendment is being re-introduced a second time without change, the government now has either to accept it, amend it, or face the DUA Bill failing altogether. Watch this space! In the meantime, catch up on the DUA Bill itself (the data elements of which have not changed significantly) and other UK regulatory developments here.

Ada Lovelace Institute calls for legislation on facial recognition and biometric technologies

On 29 May 2025, the Ada Lovelace Institute published a report on a legal framework for the governance of biometric technologies in the UK. The report criticises the current framework as fragmented and containing gaps. It makes six recommendations that would consolidate various mandatory practices and legal requirements into a dedicated biometrics regulatory framework supported by a centralised regulatory body. It recommends the framework be risk-based and proportionate, include safeguards that build on those in existing law including data protection law, adopt a flexible definition of biometrics, establish an independent regulatory body to oversee and enforce the framework, give the regulator powers to produce binding codes of practice, and task the regulatory body in collaboration with policing bodies, to develop a code of practice around facial recognition technology use by the police.

News as at 29 May 2025

EC consults on EU Data Union Strategy

On 23 May 2025, the EC launched a call for evidence and consultation on a Communication on the EU Data Union Strategy.  This covers the use of data in AI and simplifying EU data rules, particularly in relation to sharing data both within and outside the EU and encouraging data importing to the EU.  The Data Union strategy will focus on enabling the development of high-quality, interoperable datasets necessary for AI, and increase trust in data sharing.  Responses are requested by 18 July 2025.

EC publishes Omnibus IV

On 21 May 2025, the EC published its Omnibus IV proposal which is intended to simplify environmental aspects of the Single Market but also touches on GDPR.  The EC is introducing a new category of company as the next stage beyond SMEs.  These small mid-caps (SMCs), ie companies with fewer than 750 employees and either up to €150 million in turnover or up to €129 million in total assets will benefit from some of the SME derogations including under the GDPR.  SMCs as well as SMEs and organisations with fewer than 750 employees will only be required to maintain records when they process high-risk personal data.

The Omnibus IV package also provides exemptions under the Sustainable Batteries Regulation and the EU F-gas Regulation.

DUA Bill to return to the Lords in June

The government again overturned the House of Lords amendments to the Data (Use and Access) Bill.  The Bill will return to the Lords shortly.  It is currently unclear whether further attempts will be made to introduce transparency requirements around AI training into the Bill.  Peter Kyle has suggested that the Data Bill is not the best place to deal with the issue but has said transparency will be "the foundation" of any solution and indicated the government may regret having openly favoured an opt-out approach to AI training.

Meta has started its Meta AI service in EU

The Irish DPC gave Meta the 'all clear' to start its Meta AI service in the EU from 27 May 2025.  The DPC was satisfied that Meta had implemented measures to protect EU citizens' data rights and could now use public data on its platforms to train its AI model.  A last-minute application in Hamburg to suspend this for three months was rejected.  Read more about the Hamburg decision here.

NCSC publishes AI cyber security technical specification

On 22 May 2025, the NCSC announced a new technical specification for baseline cyber security requirements for AI systems and models, and an accompanying report, developed working with DSIT and ETSI.  The specification is intended to address security vulnerabilities specific to AI and can be used by stakeholders throughout the AI supply chain.  It forms part of an ever-expanding suite of documents available to help stakeholders with AI-related cyber security.

Garante fines AI chatbot company EUR 5m

On 19 May 2025, the Italian DPA, the Garante, fined US company Luka Inc. EUR 5m in respect of its chatbot Replika.  The Garante held that Luka had no appropriate lawful basis for processing data, did not have an adequate data privacy policy and did not use age verification.  The Garante also launched an inquiry into the company's risk-mitigation measures.

News as at 22 May 2025

DUA Bill – ping pong continues

The House of Lords re-introduced amendments relating to AI and copyright to the DUA Bill. The Commons can now overrule the House of Lords on anything which has cost implications without having to provide a reason for doing so after invoking financial privilege, however, on Monday 19 May, Beeban Kidron introduced a revised amendment on transparency designed to get around the financial privilege issue by dropping the enforcement requirement. The Bill returns to the Commons later this week but it seems likely that a compromise may be introduced to avoid further delay to the Bill. This is expected to take the form of powers for the Secretary of State to introduce AI transparency requirements around training materials. If the Lords accept the next round, the Bill is expected to become law quickly and certainly ahead of the summer recess.

Government looking at security of enterprise-connected devices

On 12 May 2025, the UK government launched a call for views on proposals to help protect connected devices used in a business context eg printers, internet-connected telephones, building entry systems and room booking systems. The government is concerned about vulnerabilities being used to attack business IT systems. It commissioned research from the NCC Group to conduct a vulnerability assessment which raised a number of security concerns.

The government is proposing a two-part intervention:

• a new voluntary code of practice based on eleven security by design principles
• policy interventions to boost uptake of security requirements – those being consulted on include creating a voluntary pledge, creating a new global standard, and/or introducing new legislation eg to extend the PSTIA to cover enterprise as well as consumer connected devices.

The call is open until 7 July 2025, and the government will publish a response once it has considered the submissions.

ICO consultation on revised encryption guidance

On 13 May 2025, the ICO launched a consultation on its draft updated guidance on encryption. The updates are intended to clarify how and why encryption can support compliance with UK data protection law and the guidance is aimed at DPOs or individuals responsible for aspects of data protection in organisations which use encryption.

NOYB asks for 'cease and desist' order against Meta AI training

NOYB has written to the Irish DPC asking for a cease and desist order against Meta Platform's plan to use its users' public personal data on its Facebook and Instagram platforms for AI training. NOYB argues that Meta is wrongly relying on the legal basis of legitimate interest and should be asking for user consent. NOYB plans to move to an EU-wide class action if this step fails to produce the desired result. Meta is already facing an application for an injunction to stop the AI training from a German consumer group on the same issue and similar grounds.

News as at 14 May 2025

DUA Bill returns to the Lords

The Data (Use and Access) Bill was returned to the House of Lords without the controversial amendments relating to copyright and AI. The government did, however, as expected, included clauses requiring the Secretary of State to publish reports assessing the economic impact of the four policy options in the AI copyright consultation, and a report on use of copyright works in the development of AI, taking into account the responses to the consultation. Both reports are to be published within twelve months of the DUA Bill becoming law. This suggests it will be some time before we see a conclusion on how to tackle the copyright issues raised by AI, however, there are hints that the government may be moving away from the opt-out position set out in the consultation and Chris Bryant said during the debate on the DUA Bill in the House of Commons, that the outcome of the consultation is not "prejudged", stressing the importance of properly remunerating rights holders.

The government also included an amendment to give courts powers to seize illegal deepfake material, however, other proposed amendments failed to pass. Some amendments, particularly those around copyright and AI and the age of consent for social media, were re-introduced in the Lords on 12 May and we may see a protracted 'ping pong' process as the legislation goes back and forth between the Houses of Parliament. Current indications are that the government intends to finalise the legislation before the summer recess which begins on 22 July 2025.

UK government publishes Software Security Code of Practice for software vendors

On 7 May 2025, the government published a new voluntary Software Security Code of Practice for software vendors together with an assurance process. The Code sets out fourteen principles aimed at supporting software vendors and their business customers in reducing the likelihood and impact of software supply chain attacks and other software resilience incidents. Where possible the code reflects internationally recognised best practices including those outlined in the US Secure Software Development Framework and the EU's Cyber Resilience Act.

The Code sets out fundamental security and resilience measures that should be reasonably expected from all organisations developing and or selling software to businesses or other organisations. This includes software services, standalone software or goods that contain software, but it is most relevant to the sale and distribution of proprietary software in the context of B2B relationships. While it is not aimed at open source software, the government suggests it may still be a useful tool in the open source context.

The fourteen principles cover:

• Secure design and development
• Building environment security
• Secure deployment and maintenance
• Communication with customers.

Customers can assure against the Code including by requiring vendors to self-assess compliance using Assurance Principles and Claims based on the NCSC Assurance Principles and Claims Standards document, or requiring an independent audit against the standards. The government is developing a certification scheme based on the compliance process.

EDPB agrees with EU-UK adequacy extension

On 6 May 2025, the EDPB adopted an Opinion agreeing with the Commission's decision to exceptionally extend the EU-UK adequacy agreement by six months in order to enable assessment of the UK regime following enactment of the DUA Bill.  The EDPB also adopted an Opinion supporting the European Commission's draft adequacy decision for the European Patent Organisation.  This is the first adequacy decision to apply to a body rather than a geographical area.

The EDPB and EDPS also adopted a letter addressed to the EC on 8 May 2025, expressing preliminary support for targeted simplification of the GDPR – namely proposals to extend the Article 30(5) derogation from the requirement to maintain a record of processing to cover companies with fewer than 500 employees (rather than the current 250 threshold).

Nineteen EU Member States told to transpose NIS2

The European Commission has warned nineteen EU Member States that they must transpose the NIS2 Directive or face legal action in the CJEU.  The countries yet to transpose NIS2 are Austria, Bulgaria, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Hungary, Ireland, Latvia, Luxembourg, Netherlands, Poland, Portugal, Slovenia, Spain and Sweden.

News as at 7 May 2025

Politicians continue with efforts to include copyright provisions in DUA Bill

Efforts by MPs and members of the House of Lords continue to introduce amendments into the Data (Use and Access) Bill relating to copyright and use of materials to train AI. An additional amendment relates to the use of AI in education. However, the government is adamant that it will not use the DUA Bill to legislate on AI. By way of compromise, the government has introduced amendments which would require it to publish a report on AI training transparency, technical solutions for controlling access to copyright works, and the effect of copyright on the AI market within a year, together with an economic impact assessment of policy options. There are also attempts to introduce a requirement to raise the age of consent to processing of children's data online to 16. The Bill is set to return to the Lords next week. 

Co-op suffers cyber attack

Following the cyber attack on Marks and Spencer, Co-op also suffered a ransomware attack. The attack was claimed by DragonForce who said they were also responsible for the M&S attack and an attempted hack of Harrods. DragonForce showed the BBC databases including usernames and passwords of all employees and a sample of Co-op member data. Co-op said in an update on 6 May 2025, that a limited amount of member data had been exfiltrated and that it had had to close down some of its frontline systems to protect the organisation. The ICO said it is in contact with both the Co-op and M&S and all are working closely with the NCSC.

Harrods confirmed on 1 May that it had also been targeted but had taken steps to keep systems safe, including by restricting internet access to its sites.

ICO and California Privacy Protection Agency joint declaration

On 29 April 2025, the ICO and the California Privacy Protection Agency signed a declaration of co-operation. This will enable them to carry out joint research, share best practice and experience and develop appropriate mechanisms for mutual collaboration.

ICO and OPC call for protection of 23andMe customer data

On 1 May 2025, the ICO and Privacy Commissioner of Canada (OPC), published a letter to the US Trustee overseeing bankruptcy proceedings of 23andMe. They are urging protection of the sensitive information held by 23andMe, particularly in light of the data breach suffered by 23andMe which impacted some of this data.

News as at 30 April 2025

EDPB and EDPS annual reports

On 23 April 2025, the EDPB published its annual report 2024. The report provides an overview of the previous year's work including:

• adoption of the 2024-2027 strategy

• providing eight consistency opinions, including on 'consent and pay', as well as other legal advice and four new sets of guidelines including on legitimate interest

• proactively engaging with stakeholders and holding public consultations to inform future guidelines on 'consent and pay' and an Opinion on AI models

• contributing to cross-regulatory cooperation, particularly in relation to new digital legislation

• making the GDPR understandable and practical for all by presenting guidance and summaries in non-technical language.

On the same day, the EDPS published his annual report for 2024. The EDPS highlighted work on the evolving digital landscape and future and concrete actions on AI, technology monitoring and foresight initiatives and projects, as well as more general supervision and enforcement actions.

ICO fines AFK Letters Co Ltd £90,000 for unsolicited marketing calls

On 24 April 2025, the ICO fined AFK Letters (a company which sends letters seeking compensation and refunds for its customers) £90,000 for unsolicited marketing calls. The ICO found AFK had failed to comply with Regulation 21 of PECR and had not got valid consent to the marketing. Its third-party data supplier had relied on consent statements which did not specifically name AFK. Additionally, AFK's privacy policy did not state that people would receive marketing calls.

Google to maintain current approach to third-party cookies

On 22 April 2025, Google published a blog setting out its latest approach to third-party cookies. It says a lot has changed since it launched the privacy sandbox in 2019 and as a result of that, as well as the acceleration of the adoption of privacy-enhancing technologies, it will maintain its current approach to third-party cookies. This means that it will not be rolling out a new, standalone prompt for third-party cookies but will allow users to choose options in Chrome's privacy settings. Google will continue to enhance tracking protections in Chrome's incognito mode and will launch IP Protection in Q3. The privacy sandbox APIs may now have a different role to play and Google will continue to engage with industry.

UK and Japan announce plans to expand adequacy scope

On 23 April 2025, the UK and Japan published a joint statement on data adequacy. It commits to continuing free data flows with a high level of data protection and sets out plans to expand the scope of the current respective adequacy agreements to new areas including academia and the public sector. It will also focus on collaborative research and administrative co-operation. The expanded framework is expected to be concluded by spring 2026 after a review to determine whether or not to implement the proposed changes takes place.

M&S target of significant cyber attack

Marks & Spencer suspended online sales following a suspected ransomware attack which led to problems with contactless pay and click and collect.  The attack also led to food availability issues in some stores and on Ocado. M&S informed customers on 25 April 2025,  that there was no need for them to take any action but said orders placed after 23 April would be cancelled and refunded. It also informed the appropriate authorities. The attack has been linked to a ransomware group known as Scattered Spider and to a cyber crime group called DragonForce.  

News as at 23 April 2025

EC shows no desire to disrupt status quo on EU-US DPF

On 14 April 2025, the European Commission answered questions raised by the European Parliament about the impact of changes made by the Trump Administration on the EU-US Data Privacy Framework adequacy decision. The Commission's response did little to directly address the concerns which related specifically to changes made to the Privacy and Civil Liberties Oversight Board, access to personal data by DOGE, and law enforcement data protection. Instead it pointed to the protections set out in Executive Order 14086. While the Commission shows no signs of suspending the DPF adequacy decision at the moment, given the emphasis placed on the EO, that could change should the Trump administration revoke it. Read more.

Adoption of the NIS2 Directive remains patchy

Euractiv reports that the Commission's view is that only seven EU Member States have fully implemented the NIS2 Directive with a further seven having partially adopted it. Germany and France are among those countries which have not fully implemented it, owing to delays caused by changes in government.

ICO fines law firm for cyber security failings

On 16 April 2025, the ICO announced it had fined Merseyside-based DPP Law Ltd £60,000 for failure to put appropriate measures in place to ensure the security of personal data. Cyber attackers accessed highly sensitive and confidential personal information and published it on the dark web. DPP Law specialises in law relating to crime, military, family fraud, sexual offences and actions against the police which means it holds highly sensitive and special category data. The ICO said lapses in security practices had left information vulnerable to unauthorised access – in this case, a brute force attack which resulted in access to a legacy case management system. DPP also failed to report the access as a data breach within required time limits.

US bulk data rule now in effect

The US bulk data rule came into effect on 8 April 2025. This restricts transfers from the USA of sensitive personal and government-related data to "countries of concern" – currently China (including HK and Macau), Russia, Iran, North Korea, Venezuela and Cuba. It also impacts access to data by foreign individuals or entities with connections to countries of concern. Read more.

Meta fined EUR 200 million for 'consent or pay' model

On 23 April 2025, the European Commission announced it was fining Meta EUR 200 million for breaching the Digital Markets Act (DMA) obligation to give consumers a choice of services which uses less of their personal data. The fine related to the binary 'consent or pay' model for Facebook and Instagram offered in the EU between November 2023 and November 2024. The DMA requires gatekeepers to get user consent to combine their personal data across services and offer those who do not consent a less personalised but equivalent alternative. The Commission found Meta's binary model did not give users the required specific choice to receive a less personalised but otherwise equivalent service to the free personalised ad service and that Meta did not allow users to exercise free consent to the combination of their personal data across services.

In November 2024, Meta introduced an alternative free version of its Facebook and Instagram platforms which it said used less personal data to display ads. The Commission is still assessing this option and the fine relates to the period during which the binary offering was available once the DMA became applicable – March 2024-November 2024.

Separately, the Commission also fined Apple EUR 500 million for breaching the DMA anti-steering obligation, and said that Meta's Facebook Marketplace need no longer be designated under the DMA.

News as at 16 April 2025

Meta to train AI with EU personal data

On 14 April 2025, Meta announced it would soon begin training its AI models on the interactions that people have with AI at Meta as well as public content shared by adults on Meta products. This will include public posts and comments shared by adults on products in the EU. EU individuals will be able to object to their content being used in this way. EU users using Meta platforms will start receiving notifications shortly to explain how the data will be used and linking to an opt-out form. Meta says it does not use people's private messages to train AI nor public data from under-18s. Meta says it is confident its approach complies with EU law following engagement with regulators.

UK Health Data Research Service launched

On 7 April 2025, the government announced an investment with the Wellcome Trust of up to £600m to create a new health data research service. This is intended to transform access to NHS data by providing a secure single access point to national-scale data sets and cutting red tape for researchers. Clinical trials will also be fast tacked with the aim of cutting the time it takes to set up a trial to 150 days by March 2026. This will be done by cutting bureaucracy and standardising contracts across different NHS organisations as well as ensuring transparency by publishing trust-level data for the first time.

EDPB draft guidelines on processing personal data through blockchains

On 14 April 2025, the EDPB adopted guidelines on processing personal data through blockchain technologies. The guidelines explain how blockchain technologies work, covering different architectures and their implications for data protection. They emphasise the importance of implementing technical and organisational measures at the design stage and clarify the roles of different stakeholders. The EDPB also stresses that a DPIA should be carried out before processing personal data through blockchain technologies where the processing is likely to result in a high risk to the rights and freedoms of individuals. The guidelines are subject to consultation until 9 June 2025.

EC consultation on Action Plan for Cybersecurity of Hospitals and Healthcare Providers

On 7 April 2025, the European Commission launched a targeted consultation on its January 2025 Action Plan for cybersecurity of hospitals and healthcare providers. This is intended to create a safer and more secure environment for patients and healthcare professionals by ensuring application of the EU's cyber security and data protection laws, and to improve threat detection, preparedness and response in the healthcare sector. The deadline for responses is 30 June 2025.

X's AI service Grok attracts Irish DPC's scrutiny

On 11 April 2025, the Irish Data Protection Commissioner launched an inquiry into X's use of personal data to train its Grok Large Language Models. The DPC is concerned that Grok has used personal data available on the X platform. The inquiry will look at a range of compliance issues including transparency and lawfulness of processing.

EC launches review of Cybersecurity Act

On 11 April 2025, the EC opened a consultation on revising the Cybersecurity Act 2019. The review will focus mainly on the mandate of ENISA, the European Cybersecurity Certification Framework and security challenges within the ICT supply chain. The review will look at potentially streamlining the rules and reporting obligations.

EDPB reports on AI privacy risks and using personal data for research

On 10 April 2025, the EDPB published a report on AI Privacy Risks & Mitigations setting out a comprehensive risk management methodology and practical mitigation measures for common risks in LLMs. The report is intended to help DPAs have a comprehensive understanding on the functioning of LLMs and associated privacy risks.

On 3 April 2025, the EDPB also released a study on secondary use of personal data for research purposes which discusses the lack of uniform approach across Member States and perceived gaps in the GDPR.

News as at 10 April 2025

ICO findings on use of children's data by financial services

On 1 April 2025, the ICO published the results of its review of the use of children's data by financial services providers (for example, when providing bank accounts, ISAs and prepaid cards). Key findings include:

• most organisations have children's data policies but there is little monitoring of compliance and little specific training provided in relation to use of children's data
• half of the respondents said they had age-appropriate privacy information but the ICO considers the true number to be lower. The ICO is concerned that some organisations have passed transparency responsibilities on to parents, raising the risk of children agreeing to terms and conditions they don't really understand
• most organisations regularly review the categories of children's data to ensure it is limited to what is necessary and to prevent purpose creep. However, some ask parents to provide consent on behalf of their child but fail to review the consent, risking it becoming invalid until it is refreshed and obtained directly from the child as it grows older
• respondents said that children rarely request exercise of their data protection rights but that parent's views often supersede those of the children due to the difficulty in explaining privacy information and rights to children. In several cases, the decision about whether to accept a request from a child or from parents, was based on a pre-determined age, rather than an assessment of the child's competence.
• robust age verification processes are in use
• almost all respondents have policies in place which prevent marketing to children, however, there is a risk of non-compliance with marketing requirements where a parent's contact information is used for a child's account or service.

UK government's legal action against Apple cannot be kept confidential

An Investigatory Powers Tribunal decision published on 7 April 2025, has held that 'bare details' of an appeal by Apple, reportedly against the issue of a Technical Capability Notice issued to Apple requiring Apple to give the UK government a backdoor to encrypted accounts, cannot be kept confidential. The government had asked that the hearing take place under total secrecy for reasons of national security. The Tribunal's decision does not mean that the hearings will take place in public although it did not rule out the incorporation of a public element, whether with or without reporting restrictions.

Apple fined €150m by French competition authority

The French competition authority fined Apple €150m at the end of March after finding Apple had abused its dominant position and unfairly applied different privacy conditions to its own apps as compared with third-party apps. The issue in question was Apple's App Tracking Transparency tool which prompted users to give consent to tracking. Apple applied this only to third-party rather than to its own apps. The competition authority said either these prompts are necessary to protect privacy in which case they should be universally applied, or they are not in which case they create an unnecessarily complex user experience for third-party apps and also made it likely that they would be less frequently able to use third-party data to finance their business. Apple said it applies the tool consistently across developers and notes that it has not been told by the Competition Authority to make any specific changes. Germany is also investigating this issue.

UK government publishes Cyber Governance Code of Practice

On 8 April 2025, the UK government published the Cyber Governance Code of Practice. This aims to support boards and directors in the private and public sector in governing cyber security risks and sets out the most critical actions for which directors are responsible. The Code is part of the government's package of support and is underpinned by the Cyber Governance Training and the Cyber Security Toolkit for Boards but it is the foundational code in the government's modular approach. It is complemented by the Cyber Essentials scheme.

The Code sets out actions relating to:

• risk management
• cyber strategy
• people management
• incident planning, response and recovering, and
• assurance and oversight.

News as at 3 April 2025

UK government policy plan for Cyber Security and Resilience Bill

On 1 April 2025, the UK government published a policy paper on its planned Cyber Security and Resilience Bill. If it goes ahead as planned, the new Bill will:

• extend the reach of cyber security requirements to cover organisations including Managed Service Providers and critical suppliers. Third-party suppliers will be required to boost their cyber security in areas including risk assessment and to enhance their data protection and network security defences
• enhance incident reporting obligations on in-scope organisations
• give regulators additional tools to improve cyber security and resilience in areas they regulate
• provide significant powers for the Secretary of State to update regulatory frameworks where needed, including to cover new sectors or introducing further security requirements

The government plans to publish the Bill later this year. Read more.

ICO publishes Anonymisation and Pseudonymisation guidance

The ICO published its Anonymisation and Pseudonymisation guidance on 28 March 2025. The guidance is intended to help organisations wanting to anonymise personal data for any purpose and identify the issues they should consider to use anonymisation techniques effectively. The guidance is voluntary and sits alongside the ICO's data sharing Code of Practice. It covers the strengths and weaknesses of various anonymisation techniques and their applicability to particular situations. It looks at the role anonymisation plays across the UK's data protection regime beyond the UK GDPR and UK DPA but as it relates to protection of personal data, although it is also relevant to public bodies considering disclosing or allowing re-use of anonymous data sets. The guidance also explains what is meant by pseudonymisation. It contains a number of case studies and sets out governance and accountability measures.

DORA joint examination team rules published in OJ

On 24 March 2025, the rules concerning the examination teams for oversight activities under DORA were published as a delegated regulation in the Official Journal, coming into force 20 days later. The rules set out details about how the teams are composed and designated, the tasks they need to complete and their working arrangements.

AG Opinion in Meta v EDPB

On 27 March 2025 Advocate General Ćapeta handed down a non-binding Opinion in WhatsApp Ireland Ltd v European Data Protection Board. WhatsApp was appealing the General Court's decision holding that it could not appeal to a national court regarding the EUR 225m fine issued to it by the Irish Data Protection Commission following an EDPB decision that the fine should be higher than originally proposed. The AG opines that EDPB decisions are challengeable whereas the General Court held that the case was inadmissible. If the CJEU follows the Opinion, organisations will be able to challenge EDPB Article 65 decisions directly before the General Court rather than going through national proceedings and potentially a preliminary reference to the CJEU. See our article for more.

23andMe provisionally fined £4.59m for 2023 data breach

On 24 March 2025, the ICO announced its provisional decision to fine 23andMe £4.59m in relation to a data breach suffered in October 2023 and following a joint investigation with the Australian data protection regulator. The ICO notes that 23andMe has filed for Chapter 11 bankruptcy in the USA, but says it is still obliged to comply with UK data protection law during this process. 23andMe can now make representations regarding the ICO's initial findings before a final decision is reached.

ICO fines Advanced £3.07 m for security failings

On 27 March 2025, the ICO confirmed its decision to fine Advanced Software Group Ltd £3.07m for security failings by one of its subsidiaries. Advanced's health and care subsidiary provides IT and software services to the NHS and other healthcare providers. In 2022, it suffered a ransomware attack. Hackers were able to access systems via a customer account that did not have multi-factor authentication. The personal data of nearly 80,000 people was put at risk and there were reports of disruption to critical services. The ICO concluded Advanced's subsidiary did not have appropriate technical and organisational measures in place immediately prior to the incident, including because it had gaps in deployment of MFA, a lack of comprehensive vulnerability scanning, and inadequate patch management. The final amount of the fine has been reduced from the provisional amount of £6.09m announced in August 2024 following representations made by the company.

NCSC principles for privileged access workstations

On 25 March 2025, the NCSC published guidance to help organisations and cyber security professionals implement effective privileged access workstation (PAW) solutions in organisations. The guidance outlines the essential characteristics and practical considerations for implementing them in typical scenarios in the form of eight principles.

Draft Health and Social Care Information Standards (Procedure) Regulations 2025

Under s250 of the Health and Social Care Act 2012 (HSCA) as to be amended by s95 Health and Care Act 2022 (HCA), the Secretary of State, NHS England or both acting jointly, can prepare information standards relating to the processing of health and adult social care information in order to ensure interoperability. The procedure for making these information standards has now been set out in the draft Health and Social Care Information Standards (Procedure) Regulations 2025. S95 HCA is not yet in force but will be brought in at the same time as the draft Regulations become law. The Regulations include obligations to seek relevant advice from someone with appropriate expertise, cover what must be included in information standards, and require a review of information standards at such intervals as may be determined appropriate by the responsible authority.

NOYB files complaint over ChatGPT hallucinations

Privacy advocacy group NOYB has filed a complaint with the Norwegian data protection authority against OpenAI, relating to ChatGPT's hallucination in which a man was wrongly said to have murdered his daughters and been convicted. The information was presented alongside accurate information about the user. OpenAI says it has since updated ChatGPT so that it uses the internet to search for information about individuals but the complaint is concerned with the possibility that the hallucination may still be part of ChatGPT's dataset. While ChatGPT does include a caveat that user information may be inaccurate, the complaint suggests this is insufficient and alleges that by knowingly allowing ChatGPT to produce inaccurate and defamatory information, OpenAI is breaching the GDPR accuracy principle.

News as at 27 March 2025

ICO measures to drive economic growth

On 17 March 2025, the ICO unveiled a package of measures to support the government's growth agenda.

These include:

• a data essentials training programme for SMEs intended to help savings of at least £9.1m over three years
• an experimentation regime to enable businesses to trial innovative data-driven solutions under oversight and have "comfort from enforcement of certain data protection requirements" starting with consent rules for privacy-preserving advertising models. The ICO says realising the full potential of this regime will involve legislative change (most likely of PECR) which the government will consider after the ICO's pilot. In the autumn, the ICO will publish a statement identifying low-risk advertising activities which are unlikely to result in enforcement action
• a statutory code of practice for private and public sector businesses developing or deploying AI
• paving the way for privacy-friendly online advertising with a regulatory review
• new guidance on international data transfers to make it easier for UK businesses to access new markets and partners.

These commitments were also published in an Annex to the government's New approach to ensure regulators and regulation support growth" on the same day. This sets out the government's plan to reform the UK's regulatory landscape to support the growth agenda.

EC proposes extending UK adequacy decisions by six months

The European Commission is proposing to extend the EU-UK data adequacy decisions by six months to 27 December 2025 in order to assess the impact of the Data (Use and Access) Bill on the UK's data protection regime. The EC would prefer to wait for a short period after the DUA Bill becomes law (expected in April/May) before reaching a decision on whether or not to renew the adequacy agreements which allow for unrestricted personal data flows between the EU and UK.

In other news on data transfers:

• EU Commissioner McGrath said in a webinar that the EU is committed to continuing with the EU-US Data Privacy Framework despite the impact of changes to the US Administration.
• The EDPB approved a document setting out procedures for approval of Binding Corporate Rules for controllers and processors (BCRs) on 13 March 2025. In summary: the EDPB says the BCRs must be approved by the relevant national data protection authority and includes the process by which the organisation should justify the authority it selects. The Lead BCR should then refer the BCRs using the Article 57 cooperation mechanism. Where required, there will then be a consolidated draft sent ultimately to the EDPB which will issue a non-binding draft decision before a binding decision by the Lead BCR.

DSIT launches calls for evidence on data brokers and intermediaries

On 18 March 2025, DSIT launched:

• a call for evidence on data brokers and national security. DSIT is concerned that the data brokerage market may present security risks and wants views on security processes used by data brokers to help inform policy
• a call for evidence on barriers to the role of data intermediaries and data portability. The call focuses on the exercise of data subject rights, the delegation of those rights to third parties, and the activity of data intermediaries as well as the wider regulatory framework in this area.

Both calls close at 11.59pm on 12 May 2025.

Bindl appeals to ECJ

Privacy campaigner Thomas Bindl is appealing the EU's General Court decision which dismissed his claim arguing that his personal data was unlawfully transferred to the US via a European Commission website, while awarding him EUR 420 in damages. In his appeal, Bindl argues the Court's refusal to grant his request to annul the data transfer was incorrect and violated his rights under Article 47 of the EU Charter of Fundamental Rights. The European Commission has also appealed aspects of the decision.

EC consultation on Cyber Resilience Act implementing regulation

On 13 March, the European Commission published a consultation on the Cyber Resilience Act implementing regulation. The consultation closes on 15 April 2025. The implementing regulation is on the technical description of the categories of important and critical products with digital elements under the CRA.

Meta settles ad targeting case

Meta has reportedly settled a case brought by human rights campaigner Tanya O'Carroll. She alleged that Meta had breached UK data protection law by failing to comply with her request to stop using her personal data for targeted advertising. The settlement was individual but potentially paves the way for other claims. On 22 March 2025, the ICO underlined the right of individuals to object to the use of their personal data for direct marketing and said it would continue to engage with Meta on the issue. Meta maintains it has complied with UK data protection law and says it is considering changing to a 'pay or consent' model in the UK similar to the one it operates in the EU.

News as at 20 March 2025

European Commissioner suggests GDPR will be simplified

Commissioner McGrath, EU Justice Commissioner, has said that the EU GDPR will be included in a future omnibus package which will focus on reducing the regulatory burden on smaller organisations. He also said the EU would need to continue to monitor developments with the EU-US DPF but noted that he had had a positive meeting with Andrew Ferguson, the Chair of the Federal Trade Commission.

ICO and FCA letter on AI, innovation and growth in financial services

On 10 March 2025, the ICO and FCA published an open letter to trade association chairs and CEOs of financial services firms saying the regulators understand the need for regulatory clarity on use of AI in financial services. A recent FCA and Bank of England survey cited data and consumer protection to be in the top three regulatory constraints to AI deployment within financial services. The FCA and ICO propose a roundtable with industry leaders in May to discuss areas of uncertainty and challenge and look at how the regulators can work together with industry to support growth.

Government reverses copyright amendments in DUA Bill

As anticipated, the government has reversed Beeban Kidron's amendments to the Data (Use and Access) Bill. These had proposed that operators of web scrapers and GPAI models be required to comply with UK copyright law and be transparent about their identity as well as allow content creators to understand whether their content had been scraped to train AI. Chris Bryant has said the DUA Bill could pass as soon as late April.

Planning and Infrastructure Bill published

The UK's Planning and Infrastructure Bill was published on 11 March 2025. Among other planning reforms, it re-classifies data centres as nationally significant infrastructure projects. This means the planning process to build them will be fast-tracked and streamlined and limits how it can be challenged in court.

EDPS 2020-24 enforcement review

On 6 March 2025, the EDPS published its 2020-24 mandate review setting out its enforcement actions and its enforcement priorities.  It has said it will continue its enforcement efforts, particularly around online harms, child sexual abuse material, and cyber security.

Privacy groups challenge government's request to access Apple data

On 13 March 2025, Privacy International, Liberty and two individuals, announced they are challenging the Home Secretary's reported decision to serve Apple with an order under the Investigatory Powers Act requiring access to personal data held by Apple.  They also made a separate urgent application to make hearings dealing with the Technical Capability Notice public.  

News as at 12 March 2025

Apple appeals IPA order

Apple is reportedly appealing the order issued under the Investigatory Powers Act requiring it to give the government a backdoor into encrypted services globally in the event of a national security threat.  As Apple is not able to provide access to data encrypted using its Advanced Data Protection tool, it chose to withdraw the tool in the UK.  President Trump criticised the UK's actions describing them as "something that you hear about in China".   Apple is appealing to the Investigatory Powers Tribunal to try and get the order overturned.

Government report on pilot of Cyber Governance Code of Practice

On 5 March 2025, the government published a report on the results of its pilot of the proposed Cyber Governance Code of Practice.  The draft Code sets out the expectations on company directors in relation to managing cyber risks.  The report analyses the feedback from around 20 companies which had attempted to implement the Code and makes several recommendations for improvement, including to map it onto other relevant guidance and publish it on a government website.

EDPB launches right to erasure co-ordinated enforcement action

On 5 March 2025, the EDPB launched its fourth co-ordinated enforcement action which will focus on the right to erasure.  32 EU DPAs are expected to participate and to look at how controllers deal with right to erasure requests, including the application of exemptions.  They will carry out fact-finding exercises and may also open formal investigations.

EU SAs approve EC changes to rules on subcontracting under DORA

On 7 March 2025, EU Supervisory Authorities, EBA. ESMA and Eiopa, published an Opinion in which they approved the European Commission's updated Draft Regulatory Technical Standards specifying the elements that a financial entity has to determine and assess when subcontracting ICT services supporting critical or important functions under article 30(5) of the Digital Operational Resilience Act (DORA).  The rules, drafted by the SAs, had were changed by the Commission which said the original version had gone beyond the scope what was required.

EP Research Service raises concerns about EU-UK adequacy decision

The European Parliamentary Research Service has published a memo raising some concerns about the UK's data protection regimes which it thinks could impact renewal of the EU-UK adequacy decision, due by 27 June 2025.

In particular, the Research Service is concerned that the Data (Use and Access) Bill would raise new or deepen "existing adequacy concerns" including:

• the removal of protections in relation to automated decision-making
• the reduction of transparency, notably in the area of AI
• the conferral of excessive powers on the Secretary of State to override safeguards
• the reduction of accountability over how data is shared and accessed for law enforcement or other purposes.

The memo also sets out concerns about the Investigatory Powers (Amendment) Act and specifically mentions the access order reportedly issued to Apple.  It stops short of making any kind of recommendation to the Commission.

News as at 6 March 2025

EU-US Data Privacy Framework in danger?

6 March 2025 is the date by which all President Biden's national security decisions and other orders, memoranda and proclamations have to be reviewed. It is rumoured that the report to be published on that date will recommend that President Trump rescind the Executive Order which underpins the EU-US Data Privacy Framework (DPF).  If the President acts on this and revokes the DPF EO, the Commission could revoke its adequacy decision immediately without a transition period.

Even if the DPF EO survives, the European Commission may could still act.  The Commission has until 19 March to respond in writing to calls from 19 MEPs on 5 February for it to state whether the DPF still meets adequacy requirements, and to a request from the LIBE Committee on 6 February along similar lines.  Both the MEPs and the LIBE Committee are concerned about the fact that the independent Privacy and Civil Liberties Oversight Board which is responsible for ensuring transparency and accountability of US surveillance authorities, is no longer quorate.  The PCLOB is responsible for monitoring whether US intelligence agency access to EU personal data is necessary and proportionate and also oversees the redress mechanism for EU citizens under the DPF, the Data Protection Review Court.  It is therefore seen by many as crucial to the operation of the DPF. 

ICO investigates how social media and VSPs use UK children's data

On 3 March 2025, the UK's ICO announced three investigations as part of its wider interventions into how social media and video sharing platforms use children's data:

• an investigation into how TikTok uses 13-17 year-olds' personal information to make recommendations to them
• an investigation into how Reddit and Imgur asses the age of the child UK users.

If the ICO finds sufficient evidence that any of these companies have breached UK data protection legislation, it will put its findings to the relevant company and obtain their representations before reaching a final conclusion.

EP Research Service briefing on potential conflict between AI Act and GPDR

On 27 February 2025, the European Parliament Research Service published a briefing on the interplay between the GDPR and the AI Act. In particular, the briefing looked at the requirement under the AI Act to mitigate discrimination and bias in high-risk AI systems, potentially using special category data to be processed, subject to restrictions.  The Research Service is concerned that the use of special data for these purposes is more restrictive under the GDPR which creates uncertainty and that this may need to be addressed through legislative reform or further guidance

ECJ decision on transparency of ADM

On 27 February 2025, the ECJ ruled in a reference from Austria about the use of automated decision making and credit scoring.  A mobile phone company had relied on the credit rating assessment from Dun & Bradstreet Austria and turned down an application for a contract by an individual.  The individual then asked for information about the logic involved in the automated decision-making under Article 15(1) GDPR.  The referring court asked the ECJ to determine how detailed the response had to be and asked for clarification on how the balance between protecting trade secrets and the right of access under the GDPR should be assessed.

The ECJ ruled that information provided to data subjects had to be sufficiently clear that they could understand what personal data was used to obtain a specific result.  It was not sufficient to provide complex information which the individual would be unable to understand.  The data subject's rights cannot be overridden by the controller's desire to protect trade secrets.  In the event of concern or doubt, the controller should apply to a court or the supervisory authority for clarification.

See our article by David Klein for more.

Product Security and Telecommunications (Infrastructure) (Security Requirements for Relevant Connectable Products) (Amendment) Regulations 2025

These Regulations were made on 24 February 2025 and came into force on 25 February 2025, passing without amendment.  They amend the PSTIA Regulations 2023 to:

• correct an error in Schedule 1 to clarify that a manufacturer must publish any extended date for the length of time for provision of security updates as soon as practicable
• add three new exceptions relating to certain types of vehicles from being considered as relevant connectable products under the PSTIA.

ICO also investigating DeepSeek

The ICO is reportedly joining others in investigating DeepSeek's data practices.  South Korea's privacy regulator has suggested DeepSeek has engineered its system to cover up data flows, relying more heavily on hard coding than other GenAI models, making it harder to analyse the data being processed.  Reports suggest DeepSeek is rapidly being embedded in China's government services, causing local concerns around privacy and cyber security.

EHDS published in Official Journal

The European Health Data Space Regulation (EHDS) was published in the Official Journal on 5 March 2025 and will come into force on 26 March 2025.  General provisions will take effect from 26 March 2027, with key rules on primary and secondary use of health data following on 26 March of 2029 and of 2031. Certain technical, organisational, and regulatory measures will be implemented in stages by 26 March 2035.

The EHDS aims to give users control of their electronic personal health data, nationally and cross-border, and create a single market for electronic health record systems, relevant medical devices and high-risk AI systems. This will also be used for the benefit of research and innovation and policy. Individuals will have access to and control over their electronic health care records. There will also be mandatory interoperability and security requirements, and mandated common forms.

News as at 26 February 2025

European Parliamentary Committee asks EC to review position of EU-US DPF

On 6 February 2025, the European Parliament's LIBE Committee wrote to the European Commission asking whether the changes made by President Trump to the US Privacy Civil Liberties Oversight Board which left it non-quorate, have an impact on the EU-US Data Privacy Framework. The DPF allows data from the EU and, by extension, the UK, to flow to US signatories without the need for additional transfer mechanisms. LIBE asks the Commission to assess whether the requirement for an essentially equivalent level of protection for EU data when transferred to the US is still being met.

Digital Resilience reporting notification rules published in OJ

On 20 February 2025, the rules on the notification and reporting of major ICT-related incidents and of significant cyber threats under the Digital Operational Resilience Act, were published in the Official Journal. These comprise Implementing Regulation 2025/302 which sets out standard forms, templates and procedures for reporting, and 2025/301 which sets out technical standards specifying the content and time limits for reporting major ICT-related incidents as well as the voluntary notification for significant cyber threats.

Apple removes optional cloud data encryption service from UK

On Friday 21 February, Apple announced it would no longer offer its highest level of data protection service in the UK. The optional service provided for end-to-end encryption of data stored in iCloud. However, last month, Apple received a "technical capability notice" from the UK government under the Investigatory Powers Act, effectively requiring it to give law enforcement access to data worldwide in order to investigate terrorism and child sexual abuse material, subject to a court order.  This order for a 'backdoor' to Apple security has been widely criticised by a number of privacy advocates and technology companies.  Although not explicitly connected to the IPA request by Apple, it appears that rather than give the UK government access, Apple has withdrawn the encryption service in the UK, although this does not address the fact that the IPA purports to cover worldwide access.

ICO Tech Horizons report 2025

On 19 February 2025, the ICO published the Tech Horizons Report 2025.The report looks at key technologies likely to be adopted in the next two to seven years with a significant impact on privacy. The 2025 report focuses on:

• connected transport
• quantum sensing and imaging, especially in healthcare and medical research
• digital diagnostics, therapeutics and healthcare infrastructure
• synthetic media, its identification and detection.

The ICO says that trends identified in previous reports will also apply to these technologies, in particular:

• the revelation of novel types of information (eg brain patterns)
• the collection and processing of large amounts of personal information
• a lack of transparency and accountability, particular with mass take-up of the technologies.

The ICO will proactively address these issues as the technologies develop.

Google allows 'fingerprinting'

On 16 February 2025, Google lifted its prohibition on advertisers using digital fingerprinting.  Digital fingerprinting allows the collection of information from hardware and software which, when combined, can identify individual devices and users.  This can be used to track users online and target ads at them.  Google has removed third party cookies and will now give users the ability to opt out of tracking using cookies, however, there will not be a choice to opt out of the use of digital fingerprinting techniques.

DeepSeek data scrutiny continues

DeepSeek's data protection practices continue to attract regulator scrutiny, with a number of German DPAs looking at whether or not DeepSeek's parent companies have appointed a representative in the EU.  Outside the EU, Taiwan, South Korea and Australia are among the countries to have expressed concern.

News as at 20 February 2025

Data (Use and Access) Bill presented to House of Commons

After completing the House of Lords stage, the Data (Use and Access) Bill moved to the House of Commons and had its first readings on 6 and 12 February. 

The House of Lords made a number of amendments to the Bill, in particular around data scraping to train AI. It introduced new clauses 135-9 which would require the Secretary of State to introduce regulations to require operators of web crawlers and GPAI with a UK connection to:

• comply with UK copyright law, regardless of where training and development of the AI system takes place
• disclose information about scraping and text and data used to train GPAI models
• give the ICO powers to monitor and enforce operator compliance with transparency requirements

The Secretary of State would also be required to review technical solutions to prevent and identify unauthorised scraping or use of text and data.

Parliament also introduced new offences in respect of sexually explicit images created without consent (deepfakes). 

The ICO published an updated response the DUA Bill on 10 February 2025. The ICO stresses that he does not want the proposed amendment around protection of children's data to suggest that the standard of data protection required for children's data is a higher one than that relating to the processing of adult personal data. The ICO has also requested clarity on a number or points including on the fact that new duties around children's data appear to cover data protection by design but not by default. The ICO reiterates support for the ADM provisions (which were not amended in the Lords), saying they strike the right balance, but has resourcing concerns around the ICO's potential new responsibilities around data scraping.

The Bill now moves to Committee stage with a report expected by 18 March 2025. It is unclear the extent to which these amendments will survive.

EDPB statement on age assurance

The EDPB adopted a statement on age assurance on 12 February 2025. The statement aims to form a basis for consistent application of age assurance across the EU. It underlines that the best interests of the child are of primary importance across the spread of children's rights and sets out a number of other principles to design GDPR-compliant age assurance, based largely on the data protection principles in the GDPR.

As part of the same announcement, the EDPB also said it had adopted recommendations on the 2027 WADA World Anti-Doping Code and that it would extend the scope of the ChatGPT taskforce to AI enforcement.

EC promises reduction of red tape and bureaucracy including on cyber security legislation

On 11 February 2025, the EC published a Communication on a simpler and faster Europe, which sets out a five year plan for simplifying the way the EU works and reducing red tape and bureaucracy. The Omnibus packages announced in the Work Programme will be a key deliverable. These are intended to streamline regulatory compliance, including in the area of data breach and other required cyber notifications. The Digital package will entail a review of the Cybersecurity Act and simplification of cyber security legislation. This will form part of a broader review of the digital acquis and whether that accurately reflects the needs and constraints of businesses including SMEs. "Among other things a European Data Union Strategy will address existing data rules to ensure a simplified, clear and coherent legal framework for businesses and administrations to share data seamlessly and at scale, while respecting high privacy and security standards". There will also be a gradual stress-testing of the stock of EU legislation (fitness checks).

Paris AI Action summit

The Paris AI Action Summit was held on 10-11 February 2025. The agenda of the summit was heavily focused on AI opportunities with AI Safety issues taking up the minority of the time. There were many initiatives, agreements and investment announcements made during the Summit, and AI safety was certainly not forgotten, but perhaps the most notable thing to arise from it was the refusal of the USA and the UK to sign the declaration on open, inclusive, ethical and sustainable AI. At least 60 countries have signed it including France, Germany, China, India, Japan and Canada. 

The USA's snub might have been expected with Vice President Vance taking aim at what he described as the EU's overly restrictive regulatory framework on AI, data and online safety. The US reportedly objected to the declaration's focus on multilateralism, inclusion, the environment and the emphasis on safe and ethical AI development. The UK's decision not to sign was more of a surprise and has led to accusations that it is currying favour with the USA. A government spokesperson said the government would only ever sign up to "initiatives that are in UK national interests" and the government later commented that the declaration was insufficiently clear on global governance and did not address national security. The government did, however, sign other agreements including on sustainability and cyber security and, of course, it plans to legislate on AI safety later this year.

Reactions to the UK's decision have been mixed with some arguing that the government was right to say the declaration did not go far enough on safety, and others offering a range of views from believing that the decision is damaging to the UK's AI aspirations to saying it is helpful in promoting the UK as a liberal market for AI development. 

On 14 February 2025, the government announced it was renaming the UK AI Safety Institute as the UK AI Security Institute to reflect a new focus on strengthening protections against the risks AI poses to national security and crime. A new criminal issue team will research a range of crime and security issues which could harm UK citizens (for example the use of AI to generate CSAM), acting in conjunction with the Home Office. The government says the Institute "will not focus on bias or freedom of speech but on the most serious risks posed by the technology to build up a scientific basis of evidence which will help policymakers to keep the country safe as AI develops".

The government also announced a new agreement with Anthropic on AI opportunities to grow the economy.

EC draft guidelines on definition of AI System in the EU AI Act

On 6 February 2025, the European Commission published draft guidelines on what meets the AI Act definition of an AI system. The guidelines divide the definition into seven elements, all of which must be present at some point during the system's development and use in order for the definition to apply. The seven elements are:

• Machine-based system
• Autonomy
• Adaptiveness
• AI system objectives
• Inferencing how to generate outputs using AI techniques
• Outputs that can influence physical or virtual environments
• Interaction with the environment.

All these elements are further explained in the draft guidance which is (only) 13 pages long.

News as at 12 February 2025

High Court ruling on consent by vulnerable individuals

On 23 January 2025, the High Court handed down a ruling looking at the consent requirement under the GDPR and PECR in relation to a vulnerable recovering gambling addict. RTM, a self-described recovering gambling addict, consented to revised terms and conditions introduced in 2018 when the GDPR came into effect. This included consenting to the processing of personal data about RTM's activities on the sites owned by Bonne Terre Ltd and Hestview Ltd, operating as Sky Betting and Gaming (SBG), using cookies, and then to receiving direct marketing. SGB carried out detailed profiling analytics and algorithmic predictions to target the RTM with a significant amount of direct marketing.

RTM claimed he had not given legally effective consent to the use of his personal data and that he had not consented to receiving direct marketing, nor had he been provided with a compliant way to opt-out of receipt.

The High Court upheld RTM's data protection claims (although was unpersuaded by an additional claim relating to misuse of private information). The Court held that consent had to be of a "relatively high" quality and that this was context-specific, taking into account:

• the individual's subjective state of mind as to what they thought, understood and desired
• the individual's autonomous choice about consent based on external circumstances
• the evidential basis on which the controller relied.

The Court said that by ordinary standards, RTM was a highly vulnerable individual. He had not read the terms and conditions but had simply clicked through them in behaviour "which is too overborne, passive, unfocused and ambiguous and too bound up with the craving or compulsion to access gambling, to which the consenting is experienced as a condition to be overcome, to meet the necessary legal standard". The Court therefore found that the individual lacked subjective consent and that the autonomous quality of his consenting behaviour was impaired "to a real degree" so consent was insufficiently freely given.

While the Court agreed that the post 2018 engineering of consent mechanisms was sufficient to for SGB to rely on it being probable that where boxes had been ticked, a specific autonomous decision had been taken to consent, it said a data controller relying on consent cannot rely absolutely on generic probabilities. There was an ineradicable risk that that the autonomy of the consenting behaviour of gamblers is vitiated to some degree by problem gambling. In this case, the Court accepted that it had been. Therefore, SGB's use of cookies and subsequent direct marketing were not lawful processing.

The Court recognised direct marketing about gambling to online gamblers raises special issues and was at pains to stress both that its decision rested on the individual circumstances of the Claimant, and on the timing of the activities, recognising that the online gambling industry practice has moved on. However, the Court did say that "there is an obvious risk of defective consent" when sending direct marketing about gambling to gamblers. 

While the scope of the judgment was limited to the facts of the case, it raises issues when relying on consent, particularly in the online gambling sector. 

Bonne Terre Ltd which trades as SGB, was reprimanded in September 2024 by the ICO for unlawfully processing personal data through cookies without consent. SGB said this had been due to a technical error which had been fixed.

Separately, an Observer investigation found 52 of 150 tested gambling companies were unlawfully tracking users without their consent by embedding Meta Pixel on their websites which sends information to Facebook which is then used to profile individuals and send them gambling ads. The transfer of personal data was happening before the person agreed to accept or reject marketing when the webpage loaded on a number of sites.

ICO direct marketing advice generator tool

On 5 February 2025, the ICO launched a direct marketing advice generator tool. It provides free advice about how to carry out direct marketing across a range of methods in compliance with UK law. It is aimed primarily at small organisations and is currently in beta phase.

AG Opinion on pseudonymised data 

On 5 February 2025, AG Spielman issued an Opinion in the case of EDPS v Single Resolution Board. The Single Resolution Board (SRB) appealed a decision of the EDPS. SRB had shared opinions of its shareholders with consulting firm Deloitte. The name of each shareholder was replaced with an alpha-numerical code before sharing. SRB is an EU institution and has parallel obligations in relation to personal data to those under the GDPR. The EDPS held that SRB had breached transparency requirements by failing to inform the individuals that their data was being shared with a third party. SRB had argued it did not need to do so as the transmitted data would be anonymous. The General Court annulled the EDPS decision, holding that it was incorrect to decide the data was personal data in the hands of Deloitte and that it had failed to consider that Deloitte had no means by which to reidentify the data subjects. The EDPS then appealed the General Court's decision to the CJEU.

In his Opinion, AG Spielman said the EDPS had failed to verify whether or not Deloitte had the means to re-identify the data. Pseudonymised data will not be personal data where the risk of reidentification by the recipient is non-existent or insignificant. The pseudonymised data is, however, personal data with respect to the re-identification 'key holder' and the AG said SRB had failed to meet transparency requirements as it should have informed the data subjects that data would be transferred to Deloitte.

The CJEU is expected to give final judgment in the summer.

AG Opinion on processing of personal data in ads on online marketplaces 

AG Szpunar has opined in the case of X v Russmedia Digital and Inform Media Press that the operator of an online marketplace acts as a processor of personal data contained in advertisements on the platform. for GDPR purposes. As such, there is no obligation to check the content of such ads systematically before publication. The operator does have to adopt organisational and technical measures to protect the data, and operates as a controller of personal data of user advertisers registered on the marketplace and must verify their identity.

ePrivacy Regulation pulled

After years of deadlock the ePrivacy Regulation has been dropped from the European Commission's 2025 Work Programme, published on 11 February 2025. The Commission is expected to replace it with separate legislative proposals on data retention, cookies and digital advertising. The AI Liability Directive was another casualty although the European Parliament is hoping to cover similar ground in a software liability law.

ICO publishes guidance on protecting employment records

The ICO published guidance on how to keep employment records safe on 5 February 2025. It is intended to help employers understand how the law applies to employment records and how to balance the need to keep these records with the right to a private life.

Separately, the ICO also published a blog 'myth busting' popular misconceptions around personal data and AI.

DeepSeek under continued DPA and EDPB scrutiny

The EDPB will be discussing DeepSeek during its plenary session this week as individual DPAs including from Luxembourg and the Netherlands, warn users not to share personal data with its chatbot. 

News as at 6 February 2025

UK AI Cyber Security Code of Practice and implementation guide

On 31 January 2025, the government published a Code of Practice for the Cyber Security of AI (CoP) and an implementation guide. The CoP has been updated from the draft following a call for views, and an implementation guide has been published in response to stakeholder feedback.

The CoP is voluntary and focused on AI systems, setting out cyber security requirements for the AI lifecycle split into five phases: secure design, secure development, secure deployment, secure maintenance and secure end of life. Other standards and guidance are signposted where appropriate. The CoP is divided into standards for developers, system operators, data custodians, end-users and affected entities.

The intention is that the CoP will be used to help create a global standard in the European Telecommunication Standards Institute. 

ICO fee increases confirmed

On 27 January 2025, the Data Protection (Charges and Information) (Amendment) Regulations 2025 were laid before Parliament. As a result of a consultation, the planned data protection fees are slightly lower than originally proposed with the increase being 29.8% rather than 37.2% across the three tiers. The Regulations come into force on 17 February 2025, at which point the annual fees paid by controllers to the ICO will be:

• Tier 1 (micro-organisations) £52
• Tier 2 (SMEs) £78
• Tier 3 (large organisations) £3,763.

There are no changes to the tier structure.

Government response to call for views on Cyber Governance Code of Practice

The previous government published a draft Code of Practice on Cyber Governance (CoP) as part of a call for views in January 2024. DSIT published the current government's response to the call for views on 31 January 2025. 

The aim of the CoP is to support directors and board members to understand what they should be doing as a minimum to oversee cyber risk management and provide a clear set of actions. DSIT is also exploring how the code can be used to support regulators to assist with regulatory compliance.

The draft CoP comprises five principles, each underpinned by three to five actions. The principles are risk management, cyber strategy, people, incident planning and response, and assurance and oversight. It is designed to complement the NCSC Cyber Security Toolkit for Boards.

There was widespread approval of the CoP from respondents although there were suggestions for additions and requests for clarity as to how it might work with other guidance and resources. Most respondents were in favour an assurance scheme subject to its design.

DSIT will now make minor edits to the draft Code and aims to publish it shortly. Together with the NCSC, DSIT will develop materials to support implementation and industry uptake.

NCSC guidance on Content Credentials

The National Cyber Security Centre published introductory guidance on the use of Content Credential technology on 29 January 2025 – a co-publication with the USA, Australia and Canada. Content Credentials are cryptographically secured metadata to allow content creators to add information about themselves, about creative sources, and about editing history to content. They can help users to assess authenticity, understand intellectual property rights, and distinguish real from synthetic content. The guidance covers when to use Content Credentials, how to make it clear to users that they are there, and how to make them durable. The NCSC encourages adoption while recognising they do not necessarily provide a complete solution.

House of Lords pass amendments to Data (Use and Access) Bill

A number of amendments to the Data (Use and Access) Bill were voted through by the House of Lords at Report Stage on 28 January 2025. This includes an amendment to require AI developers with a UK connection to comply with UK intellectual property law and disclose how they obtain training data. It remains to be seen whether this and other amendments will survive on the Bill's return to the Commons, particularly given the government's consultation on AI and copyright. The government also agreed to bring its own amendment to ban sexual deepfakes, rather than including provision on this in the Crime and Policing Bill as originally intended. 

Garante restricts processing of Italian personal data by DeepSeek

Amidst widespread concern about the processing of EU personal data by DeepSeek, the Italian DPA, the Garante, has issued an order restricting DeepSeek's parent companies from processing Italian personal data. The companies say they do not operate in Italy and are not subject to Italian data protection law. There are concerns that personal data is being transferred to China with no controls over its use and no transparency over what is happening to the data, as well as over the lawful basis for processing it. DeepSeek is also under scrutiny from the CNIL and the Irish DPC.

TalkTalk suffers data breach

UK mobile phone operator TalkTalk played down claims that credentials of 18.8m users had been hacked at the end of January. TalkTalk said it was investigating the breach but that the figure of 18.8m was considerably exaggerated. It also underlined that no financial or billing information had been accessed. A hacker using the alias 'b0nd' took responsibility for the attack and is thought to have gained unauthorised access to the systems of a TalkTalk third party supplier. TalkTalk suffered a high profile breach in 2015 which resulted in a £400,000 (pre-GDPR) fine.

EU AI Act prohibitions on certain types of AI and AI literacy requirements now apply

On 2 February 2025, Article 5 EU AI Act came into application. This prohibits certain types of AI including AI systems used for social scoring, emotional analysis in the workplace, and subliminal manipulation. On 4 February, the EC published guidelines on prohibited AI practices which provide explanations and practical examples to help stakeholders understand and comply with Article 5 requirements.

In addition, the EU AI Act AI literacy requirement under Article 4 came into force. Providers and deployers of AI systems must ensure their employees and contractors using AI have an adequate degree of AI literacy.

Please see article by TWG which includes tables with suggested AI literacy plan and an overview of prohibited AI systems.

News as at 30 January 2025

Is the EU-US DPF under threat?

The Executive Order which underpins the EU-US Data Privacy Framework was not one of the many Executive Orders rescinded by President Trump when he came into office, however, the Trump administration has required the three Democrat members of the US Privacy and Civil Liberties Oversight Board to resign. The Board plays an important role in the legal redress complaints process under the DPF. The 'resignations' will leave the Board non-quorate unless successors are seamlessly appointed. This in turn raises the spectre of a challenge not only to the DPF, but also to the ability to use SCCs and BCRs without the need for supplementary measures in relation to EU-US transfers. If the DPF falls, it would also likely impact the UK-US Data Bridge, however, any challenge in the courts would take some time to progress.   

ICO sets out plans to stimulate UK growth

The ICO has published a letter sent to the government setting out its plans to help stimulate the UK economy. It proposes:

• Giving businesses regulatory certainty on AI – the ICO will produce a single set of rules for those developing or using AI. It supports the government in legislating for the rules to become a statutory Code of Practice. The ICO also plans to progress guidance on issues including neurotech, cloud computing and IoT devices, as well as to support government in the rollout of public sector AI.
• Cutting costs for SMEs – the ICO will launch more personalised and interactive content and is looking at using generative AI to create a more tailored experience. It will also launch a Data Essentials training and assurance programme for SMEs in 2025/26.
• Enabling more innovation through the regulatory sandbox and innovation advice services – the ICO aims to implement an experimentation regime to give businesses a time-limited derogation from certain regulatory requirements subject to strict conditions and in collaboration with the Regulatory Innovation Office.
• Unlocking privacy-preserving online advertising – the ICO will review where PECR consent requirements are preventing an industry-wide shift towards more privacy-friendly forms of online advertising and publish a statement outlining low-risk processing purposes. It supports the government in introducing secondary legislation to remove such consent requirements following the passage of the Data (Use and Access) Bill (DUA). The ICO will also publish its public-facing online tracking strategy to complement its 'consent or pay' guidance.
• Making it quicker and easier to transfer data internationally – the ICO will publish updated guidance on data transfers and work with international partners to build international agreement on mechanisms to facilitate trusted data flows. It will work with government to assess new markets and partners and publish new and updated guidance on international data transfers.
• Cutting the cost of engaging with multiple regulators – the ICO will support the government in simplifying legislation on information-sharing between regulators and will support other regulators, in particular, the AI Safety Institute as well as via the DRCF.
• Working in partnership with government – the ICO recognises areas of intersection with government including the DUA Bill, plans for a National Data Library and the Cyber Security and Resilience Bill.

ICO publishes guidance on 'consent or pay'

The ICO published guidance on the 'consent or pay' advertising model on 23 January 2025. The guidance clarifies how these models can be deployed to give users meaningful control. The ICO says 'consent or pay' models can comply with data protection law as long as it can be demonstrated that consent is freely given and other requirements are complied with. Assessments must be documented taking into account the following four factors:

• power imbalance - whether there is a power imbalance between the organisation and the individuals
• appropriate fee - whether the fee for accessing the service ad-free is appropriate
• equivalence - whether the core service is broadly equivalent whether people pay or choose to accept advertising
• privacy by design - whether choices are presented equally to people with clear understandable information.

The ICO's approach appears to be slightly more pragmatic than that of the EDPB which maintains that meeting the consent conditions when a binary choice of service is offered will be a high bar. The ICO seeks to maintain a balance between the needs of businesses and the privacy rights of users, providing case studies for tech businesses and news publishers, although does not, of course, compromise on data subject rights. The power imbalance criterion may be hard to overcome for the big tech platforms where there are no or fewer viable alternative services. The 'consent or pay model' is also under scrutiny in the EU under the Digital Markets Act.

The 'consent or pay' guidance was published alongside the ICO's 2025 online tracking strategy. One of the main aims this year is to bring the top 1000 websites into compliance in relation to online tracking, following significant improvements by the top 200 as a result of ICO action. 

EDPB Coordinated Enforcement Action report on right of access published

On 20 January 2025, the EDPB published a report following its Coordinated Enforcement Framework investigation into the implementation of the right of access under GDPR. 30 DPAs launched investigations into compliance with the right of access. The EDPB found that more awareness raising about the EDPB guidelines on the right of access is needed and there are seven key challenges to be tackled. These include lack of documented internal procedures to handle access requests, inconsistent and excessive interpretations on the limits of the right of access, and barriers encountered by individuals including requirements to provide excessive information or documentation. The EDPB did, however, report on positive findings with two thirds of participating regulators finding responses to right of access requests ranging from average to high compliance. The 2025 CEF action focuses on the right to erasure.

European Health Data Space moves to final adoption

The Regulation on the European Health Data Space was adopted by the Council of the EU on 21 January 2025 following adoption by the European Parliament. It will now be formally signed and published in the Official Journal coming into force 20 days later. It will apply two years from entry into force.

Lords introduce DUA Bill amendments

At report stage in the House of Lords on 21 January 2025, the House of Lords passed some amendments to the Data (Use and Access) Bill including:

• a requirement on the Secretary of State to assess the reliability of personal data processed by public authorities when considering the digitalID framework
• a requirement for research to be in the public interest in order to rely on the exception for data reuse for research purposes, and
• a requirement to provide guidance on security measures for those with access to the national underground asset register.

China defends data protection practices

Following complaints by NOYB that personal data transferred from the EU to China is at risk of access by law enforcement authorities in China, a spokesperson for the Ministry of Foreign Affairs said China does not require companies or individuals abroad to collect or provide data or other information to the Chinese government in breach of local law.

News as at 23 January 2025

UK government consults on legislative proposals to help combat ransomware threats

On 15 January 2025, the government published a consultation on proposals to reduce threats associated with ransomware attacks. The Home Office proposes introducing legislation to meet three main objectives:

• reducing the amount of money flowing to ransomware criminals from the UK
• increasing the ability of operational agencies to disrupt and investigate ransomware actors by increasing intelligence
• enhancing the government's understanding of the threats.

Among the main proposals are:

• a ban on ransomware payments by public sector bodies
• a new ransomware payment prevention regime which would require organisations not banned from making payments to report any intention to make a ransomware payment to the appropriate authorities. They would have the ability to block the payment under certain conditions
• the creation of a ransomware reporting regime, possibly with a threshold for mandatory reporting.

The consultation seeks views from a range of stakeholders including on whether essential suppliers to the public sector should be included in any ban on making ransomware payments, what sort of penalties should apply to non-compliance, and whether the incident reporting regime should be directed at certain sectors and be based on threshold requirements. Any legislation will complement the proposed Cyber Security and Resilience Bill.

The consultation closes on 8 April 2025.

EDPB pseudonymisation guidance published for consultation

On 17 January 2025, the EDPB adopted guidelines on pseudonymisation which are open for consultation until 28 February 2025. The EDPB stresses that the guidelines provide two important legal clarifications:

• pseudonymised data which could be attributed to an individual by the use of additional information is still personal data - if the data can be linked back to an individual by the data controller or someone else, it remains personal data
• pseudonymisation can reduce risks and make it easier to rely on legitimate interests as a legal basis as long as all other GDPR requirements are met. Similarly, pseudonymisation can help implement the data protection principles, particularly data protection by design and default and security.

The guidelines analyse technical measures and safeguards when using pseudonymisation to ensure confidentiality and prevent unauthorised re-identification.

Separately, the EDPB also adopted a position paper on the interplay between data protection and competition law.

EDPS concept note on consistent approach to EU regulation of digital markets

On 15 January 2025, the EDPS published a 'concept note' setting out proposals for a consistent, cooperative and coherent approach to enforcing the EU's laws on digital markets. The note looks at the incoming EU digital rulebook and notes the risks of inconsistent and contradictory approaches and requirements. The EDPS proposes creating a Digital Clearinghouse 2.0 – a forum for interested regulators to cooperate and exchange knowledge. The EDPS suggests a legislative proposal may be required to ensure effective cross-regulatory cooperation in the digital market, and says the Commission should monitor the new laws carefully and assess whether further changes may be required.

Cybersecurity Act amending Regulation and Cyber Solidarity Act published in Official Journal

On 15 January 2025, two pieces of EU cyber security legislation approved at the end of 2024, were published in the Official Journal:

• The Cybersecurity Amending Regulation 2025/37 – this amends the Cybersecurity Act to enable the adoption of EU certification schemes for managed security services. 
• The Cyber Solidarity Regulation – this establishes EU capabilities to strengthen resilience against cyber threats and cross-border cooperation. It makes provision for a pan-European cyber security alert system to share information, detect and act on cyber threats. 

Both will come into force 20 days following publication in the Official Journal.

EU action plan on cyber security in the health sector

The European Commission published an action plan on improving cyber security in the health sector on 15 January 2025.  The plan aims to bolster the cyber security of hospitals and healthcare providers and focuses on four priorities:

• enhanced prevention of cyber security incidents – including through enhanced preparedness measures like guidance and potentially vouchers to provide financial assistance to small and medium sized hospitals and healthcare providers
• better detection and identification of threats – including by developing an EU-wide early warning service on potential cyber threats by 2026
• response to cyber attacks to minimise impact – a rapid response service for the health sector under the EU Cybersecurity Reserve established under the Cyber Solidarity Act.  This will include encouraging the reporting of ransom payments
• deterrence – using tools including the Cyber Diplomacy Toolbox to deter cyber threat actors.

The Commission will launch a consultation on the plan which will feed into further recommendations by the end of the year.  Specific actions will be rolled out through this year and 2026.

NCSC guidance on choosing secure operational technology

The UK National Cyber Security Centre published guidance to help operational technology owners and operators choose products and manufacturers that follow security by design principles on 13 January 2025.  The guidance contains 12 security considerations for procurement processes.

IAB response to EDPB's consent or pay guidelines

On 16 January 2025, IAB Europe published a feedback paper sent to the EDPB after the 8 November 2024 stakeholder event on the EDPB's pay or consent guidelines.  IAB Europe is concerned about the narrow interpretation given to "freely given" consent. It argues that with the consent or pay model, users are given a clear choice between two options and are also able to choose to use alternative services.  It adds that there is no obligation on businesses to provide free services or services at a loss which could well transpire if they are required to offer ad-free services for free.

NOYB files complaints about data transfers to China

On 16 January 2025, NOYB filed complaints in Greece, Netherlands, Belgium, Italy and Austria asking for suspension of data transfers to China by six Chinese companies.  NOYB alleges the transfers are unlawful because the data cannot be adequately protected from access by the Chinese government.  Read more about the complaints here. 

News as at 16 January 2025

UK AI Opportunities Action Plan and government response published

Matt Clifford's AI Opportunities Action Plan and the government's response to it were published on 13 January 2025. The Action Plan makes 50 recommendations, all of which the government says it will take forward, although two of which it appears to have slight reservations about. As the government itself points out, the Plan focuses less on AI safety issues and more on leveraging AI to help with productivity and growth, and to deliver more efficient public services at lower cost. The government's response is focused around three pillars – laying the foundations for AI to flourish in the UK, boosting adoption across public and private sectors, and keeping the UK "ahead of the pack". 

Highlighted ambitions include:

• creating AI Growth Zones to speed up planning proposals and build more AI infrastructure
• increasing the public computing capacity twentyfold in order to embrace AI, starting with working on a new supercomputer
• creating a new UK Sovereign AI team to help build up the UK's AI capabilities and seize opportunities. This may include guaranteeing companies access to data and energy
• create a National Data Library to safely and securely unlock the value of public data and support AI development – the government will explore identifying 5 high-impact public data sets which will be made available to researchers and innovators
• a dedicated AI Energy Council to help understand energy demands relating to AI and develop clean energy solutions.

Read more here.

EC ordered to pay €400 in damages for unlawful transfer of personal data

On 9 January 2024, the EC was ordered to pay Thomas Bindl €400 in respect of unlawful transfer of his personal data to the USA by the General Court of the EU. Thomas Bindl, alleged that while registering for an EC conference and choosing to login with his Facebook credentials, his IP address and information about his browser and terminal were transferred to the USA unlawfully. Bindl claimed the data was transferred to the US via AWS as operator of Amazon CloudFront and that his personal data was transferred to Meta Platforms Inc without the use of any safeguards to protect the data. The Court dismissed the claim in relation to transfers of data via Amazon CloudFront, finding that the data was transferred to a server in Munich, not to the USA in accordance with the contract between AWS and the European Commission. The mere threat of a US subsidiary (in this case of Amazon Web Services) being required to transfer personal data to a third country by public law enforcement agencies, did not constitute an actual transfer of the personal data. The Court did, however, agree that by displaying the 'sign in with Facebook' hyperlink, the EC created conditions for the transfer of the individual's IP address to Facebook and to Meta Platforms in the USA and that the Commission was responsible for the transmission. Moreover, at the time there was no EU-US adequacy arrangement in place and there were no appropriate safeguards used by the Commission with respect to the transfer. The Court found the complainant had suffered non-material damage. The ruling does not relate directly to the GDPR but to the equivalent legislation for EU institutions, but is relevant to data transfers under the GDPR as the rules are substantially similar. 

ECJ says DPAs must consider all claims

In a preliminary ruling in a reference from Austria, the ECJ said DPAs are not allowed to limit the number of claims made by an individual but must review each claim on its merits.  The background to the claim is the Austrian DPA's rejection of a claim on the basis that the claimant had made 77 claims between 2018 and 2022.  The ADPA wanted to allow a maximum number of two complaints per data subject per month.  The ECJ said that as long as complaints are not vexatious or abusive, frequency is not sufficient to classify a claim as "excessive".

ECJ says a customer's gender identity is not necessary data for transport ticket purchase

On 9 January 2025. The ECJ held that it is not necessary to collect data on customers' titles, particularly where the purpose of the collection is to personalise commercial communications.  The background to the ruling is a challenge by the association Mousse to the CNIL about SNCF's requirement for consumers to enter their title when purchasing transport tickets online.  The CNIL held that this did not infringe the GDPR.  The decision was appealed to the French Council of State which asked the ECJ whether collecting title data was consistent with the data minimisation principle.  The ECJ said for the data processing to be necessary it had to be objectively indispensable for performance of a contract, or in attainment of a communicated legitimate interest.  In this instance, the ECJ found the data collection was not objectively indispensable.

News as at 8 December 2025

ICO response to Google change of policy on device fingerprinting

On 18 December 2024, Google announced that from 16 February 2025, it will no longer prohibit organisations using its advertising products from employing device fingerprinting techniques – the collection of pieces of information about a device's software or hardware which can be combined to uniquely identify a particular device or user. The following day, the ICO published a response saying "businesses do not have free reign to use fingerprinting as they please. Like all advertising technology it must be lawfully and transparently deployed – and if it is not, the ICO will act". The response goes on to say that the ICO does not think fingerprinting is a fair way to track users online as it is likely to reduce people's choice and control over how their information is collected. It notes that the changes to the policy mean fingerprinting could now replace the functions of third party cookies.

The ICO has published draft guidance for consultation on how data protection law applies to storage and access technologies including fingerprinting. It warns that based on its understanding of the technology, complying with required rules on transparency, fairness and consent will be a "high bar to meet".

EDPB Opinion on use of personal data in AI models

The EDPB published its Opinion on the use of personal data for the development and deployment of AI models on 18 December 2024 following a request made by the Irish DPC. The Opinion considers:

• When and how AI models can be considered anonymous – this should be assessed on a case by case basis by the DPAs. For a model to be anonymous it should be very unlikely to directly or indirectly identify individuals whose data was used to create the model, and to extract such personal data from the model through queries. The Opinion provides a non-prescriptive, non-exhaustive list of methods to demonstrate anonymity.
• Whether and how legitimate interest can be used as a legal basis for developing AI models – legitimate interest may be available subject to the outcome of the three-stage balancing test if the processing is shown to be strictly necessary and the balancing of rights is preserved. The Opinion provides criteria to help DPAs assess whether individuals may reasonably expect certain uses of their personal data. It also provides a non-exhaustive list of mitigating measures which might help change the outcome of a balancing test.
• What happens if an AI model is developed using personal data processed unlawfully – if an AI model is developed with unlawfully processed personal data, this "may" impact the lawfulness of its deployment unless the data has been anonymised. 

Throughout the Opinion, the discretion of DPAs and the need to conduct analysis on a case by case basis are emphasised.

Irish DPC confirms Meta €251m fine for 2018 data breach

On 17 December 2024, the Irish DPC confirmed it is fining Meta €251m in respect of a 2018 data breach which impacted approximately 3m EU/EEA users. This follows two draft decisions submitted to EU regulators under the cooperation mechanism in September 2024. Failings included not providing required information in the breach notification, failing to properly document the facts relating to each breach and steps taken to remedy them, and failing to ensure data protection by design and default.

Garante fines OpenAI €15m

On 20 December 2024, the Garante announced it was fining OpenAI €15m in respect of its ChatGPT model. The Garante found that OpenAI used personal data to train ChatGPT without a suitable lawful basis and that it was insufficiently transparent with individuals about use of their personal data. OpenAI is appealing the fine which it describes as "disproportionate".

News as at 11 December 2024

EU Council adopts cyber legislation

On 2 December 2024, the Council of the EU adopted:

• The Cyber Solidarity Act which aims to build a more resilient, collective EU response against cyber threats.
• A Regulation amending the Cybersecurity Act to enable the adoption of an EU certification scheme for managed security services – outsourced services that support an organisation's cyber security risk management.

These have already been adopted by the European Parliament so following signature, they will be published in the Official Journal. 

ICO review of public sector approach

On 9 December 2024, the ICO published the results of its two-year trial public sector approach which placed an emphasis on reprimands and collaboration rather than financial sanctions where public sector organisations breach data protection rules.  The ICO considers the approach to have been largely successful.  It proposes to continue it but does acknowledge potential areas for improvement, in particular, by making it clearer which organisations are covered in the public sector approach and what type of infringements could lead to a fine.  As a result, the ICO is consulting on the latter issue.  Responses are invited by the end of January 2025.

Stakeholders urge changes to the DUA Bill's ADM provisions

On 6 December 2024, a group of trade unionists, academics, CEOs, NGOs and campaign organisations including Open Rights Group, Privacy International and Amnesty International, published an Open Letter to Peter Kyle, Secretary of State for Science, Innovation and Technology.  The letter urges amendments to the Data (Use and Access) Bill to remove the planned changes to current UK GDPR provisions on automated decision making.

EDPB consultation on draft Article 48 guidelines

On 3 December 2024, the EDPB published draft guidelines on Article 48 GDPR for consultation.  Article 48 covers requests for data from third country public authorities.  The draft guidelines provide recommendations for controllers and processors to help ensure they deal properly with such requests and comply with data transfer provisions if they transfer personal data in response to such requests.  The EDPB says that an international agreement may provide for both a legal basis and a ground for transfer, but if there is no international agreement or there is no agreement providing for an appropriate legal basis or safeguards, other legal bases or grounds for transfer can be considered in exceptional circumstances and on a case by case basis.  Responses to the consultation are requested by 27 January 2025.

EDPB statement on coherence of digital legislation with GDPR

On 4 December 2024, the EDPB adopted a statement on the second report of the European Commission on the application of the GDPR.  The EDPB underlined the importance of coherence between the GDPR and other digital legislation and said it would focus on producing content for non-experts and SMEs.  It also stressed the need for greater financial and human resources for the EDPB and Member State Data Protection Authorities.

ICO advice to local authorities facing financial restrictions

On 28 November 2024, the ICO published a blog post to help local authorities facing financial restrictions deal with requests for information under the Freedom of Information Act 2000 and the Data Protection Act 2018.

ENISA cyber security report under NIS2

On 3 December 2024, ENISA published the first of its biennial reports on the state of cyber security in the EU as required by Article 18 of the NIS2 Directive.  The report identifies that while Member States share an overall alignment in strategy, there is a substantial risk threat to the EU, particularly as a result of diverse approaches adopted in critical infrastructure sectors.  The report identifies four areas that policy recommendations would address in policy implementation, namely cyber crisis management, supply chain and skills.   It makes six policy recommendations covering the four priorities as well as the capabilities of critical sector operators and cyber security awareness and cyber hygiene.  ENISA expects policy attention to focus on the impact of AI and post-quantum cryptography going forwards, as well as on R&D and innovation in the cyber security sector.

EU Council agrees FIDA negotiating mandate

On 4 December 2024, the Council of the EU announced it had agreed its negotiating mandate on the proposed Financial Data Access (FIDA) Regulation which can now move to trilogues.  The Council's position suggests a number of clarifications but is generally supportive of the Commission's approach.

NOYB certified to bring redress actions in the EU

Austria and Ireland have certified digital rights campaign group NOYB as a "qualified entity", entitling it to bring collective redress actions in courts throughout the EU.  This can take the form of an application for an injunction, or collective redress, ie class actions, on the proviso they are on a non-profit basis.

EDPB approves EU Data Protection Seal

The EDPB adopted an Opinion approving Brand Compliance certification criteria concerning processing activities by controllers or processors on 3 December 2024.  The criteria, previously approved for use in the Netherlands, will now be applicable across the EU and as a Data Protection Seal

UK government app developer survey

On 5 December 2024, the government published the results of a survey of app developers.  The aim of the survey was to understand the extent to which app developers are aware of and comply with the voluntary Code of Practice on app and app store security and privacy, and whether or not awareness impacts the level of security.  The survey of 600 developers found that just under one in six were aware of the Code of Practice with the larger developers more likely to be aware.  There are varying degrees of alignment with the Code's principles and those who are unaware of the Code are less likely to have organisational plans to implement practices which align with the Code's principles

News as at 4 December 2024

DHSC response to consultation on information standards for health and adult social care in England

On 22 November 2024, DHSC published its response to a consultation on information standards for health and adult social care in England.  The consultation relates to changes made to s250 of the Health and Social Care Act 2012 (HSCA) which have not yet been brought into effect.  The changes will:

• require health and adult social care providers to comply with information standards directed at them
• allow private providers to be subject to information standards
• provide for regulations to be made about the procedure for the preparation and publication of information standards.

These changes will be complemented by provisions in the Data (Use and Access) Bill which include standardisation for data sharing across health and social care as information standards covered under s250 of the HSCA.

DHSC is expected to begin preparations to implement mandatory information standards in early 2025, and to lay legislation before Parliament in the Spring. 

Proposed amendments to the Data (Use and Access) Bill

So far, over 200 amendments have been tabled to the Data (Use and Access) Bill.  Politico reports that many of these relate to protection of children and cover issues relating to AI training data, including copyright as well as consent and transparency issues.  Other proposed amendments cover legitimate interests, scientific research and data transfers.

23 Member States have failed to transpose the NIS2 Directive on time

23 Member States failed to transpose the NIS2 Directive into their local law by the required deadline of 17 October 2024.  As a result, the European Commission has given them two months to finalise their national laws or it will issue a final warning as a prelude to enforcement action.

UK government publishes revised digital identity and trust framework and supporting documents

On 28 November 2024, the government published the gamma (0.4) pre-release version of its updated identity and attributes trust framework, together with supporting documents which provide guidance on:

• Understanding attributes
• Creating and sharing attributes
• Scoring attributes
• Guidance for delegated authorities.

This version of the framework is not yet ready to be certified against.  Certifications against the 0.3 framework will remain valid until the date published in the final gamma version.

News as at 27 November 2024

ICO guidance on data sharing to tackle fraud

On 22 November 2024, the ICO published new practical advice to provide clarity on data protection considerations and support organisations in sharing data responsibly to tackle scams and fraud. The advice is aimed at any organisation seeking to share personal information to identify investigate and prevent fraud, especially banks, telecommunications providers and digital platforms.  The advice runs through data protection essentials including carrying out a DPIA, having appropriate processes and data sharing agreements in place, identifying a lawful basis, and complying with data protection law including by giving effect to data subject rights.

ePrivacy Regulation lives on…

On 13 November 2024, the European Parliament published the list of legislative files it will pick up following the EP elections.  Over 120 files are listed, including the ePrivacy Regulation which has languished without much progress for a while.  It is thought this will be officially dropped by the Commission once it publishes the Digital Fairness Act.  The GDPR Enforcement Regulation will also continue to progress.

EDPS TechSonar report on impact of AI on individual rights and freedoms

The European Data Protection Supervisor's 2025 TechSonar report was published on 15 November 2024 and focuses on:

• retrieval-augmented generation (RAG) – a technique that allows AI systems to generate more relevant output by retrieving and combining relevant information from multiple knowledge bases
• on-device AI – a system architecture designed to place data processing at the edge of the network, reducing latency and increasing control over the data processed by AI systems
• machine unlearning – a technique that allows trained AI systems to forget specific data or remove its influence on request
• multimodal AI – which deals with the integration of multiple types of data (eg text, sound etc)
• scalable oversight and neuro-symbolic AI – focusing on the ability to use AI systems to monitor other AI systems as they grow in complexity and scale
• neuro-symbolic AI which combines neural networks with symbolic reasoning to enhance accuracy and decision-making processes.

The report provides fictional scenarios for each of these technologies and considers their impact on the fundamental right to privacy and protection of personal data as well as on society as a whole.

News as at 20 November 2024

EU Cyber Resilience Act published in Official Journal

The EU's Cyber Resilience Act (CRA) was published in the Official Journal on 20 November 2024. It introduces mandatory cyber security requirements for the design, development, production and making available of products with digital elements and ancillary services. Essentially this covers the cyber security of IoT or connected products. Manufacturers will be required to embed security by design and provide security support and software updates.  There are also information and incident reporting requirements. The CRA will apply generally from 11 December 2027. Article 14 (manufacturer reporting obligations) will apply from 11 September 2026, and Chapter IV (conformity assessment bodies) will apply from 11 June 2026. Products placed on the market before 11 December 2027 are only subject to the Regulation if substantially modified, except for Article 14, which applies to all relevant products.

ICO and RTA publish PETs cost-benefit awareness tool

On 7 November, the ICO and DSIT's Responsible Technology Adoption Unit published the Privacy Enhancing Technologies PETs) Cost-Benefit Awareness Tool alongside a checklist to support organisations. The tool focuses on emerging PETs and is structured around an example of using PETs to train a machine learning model without centralised data collection or processing. The tool includes information on compliance costs and benefits and features examples and use cases.

National Cyber Security Centre guidance for tackling malvertising

On 6 November 2024, the National Cyber Security Centre (NCSC) published new guidance for brands to help advertising partners counter malvertising (malicious advertising which spreads malware and ransomware and which can lead to fraud). The guidance is aimed at brands which use in-house and third-party digital advertising services to help them choose partners who prioritise cyber security. Recommendations include:

• have strong 'know your customer' checks in place
• employ strong cyber security practices
• use data from reputable sources
• implement industry standards
• employ effective malvertising detection and removal services
• collaborate to share threat intelligence
• put in place reliable reporting mechanisms
• demonstrate a transparent approach.

Meta launches new version of services with "less personalised ads" in EEA and Switzerland

In an effort to allay competition and data protection concerns around its current 'pay or OK' model in the EU relating to behavioural advertising, Meta announced a new version of its services on 12 November 2024. Meta will offer a version of Facebook and Instagram with "less personalised ads". Under the new model, those selecting a free service will still receive ads but the targeting will rely on less data ie it will be contextual, using a minimal set of data points including age, location, gender and how a person engages with ads. Meta will also reduce the cost of its ad-free subscription model.

First UK sector-owned data protection code of conduct

On 13 November 2024, the ICO announced it had approved the first sector-owned code of conduct by the Association of British Investigators Limited.  The Code applies to UK private investigators and is approved in accordance with Article 40 UK GDPR.

Joint statement from the FCA, ICO and TPR for retail investment firms and pension providers

On 15 November 2024, the FCA, ICO and the Pension Regulator (TPR), published a joint statement on data protection and effective communications to consumers in relation to retail investment and pensions. The statement has been made in response to requests from retail investment firms and pension providers for further clarity on how the TPR Code of Practice and guidance on communications requirements, and the FCA's Consumer Duty, interact with direct marketing rules under data protection law and regulations. The statement distinguishes regulatory communication and service messages from direct marketing messages and provides some guidance on relevant factors in determining whether a message is or contains direct marketing. 

FCA publishes final requirements and expectations for CTPs

The FCA, jointly with the Prudential Regulation Authority (PRA) and the Bank of England, set out the final requirements and expectations for critical third parties (CTPs) to the financial sector and their operational resilience on 12 November 2024. The new rules will apply from 1 January 2025. They allow the FCA, PRA and Bank of England to monitor and manage systemic risks posed by certain third parties to the financial sector. The regulators will be able to identify potential CTPs and recommend them for designation to the Treasury. The intention is to improve resilience to cyberattacks and outages in the UK's financial sector. The rules will take effect on a CTP on the date the relevant designation order comes into force. 

News as at 14 November 2024

ICO publishes report on AI tools in recruitment

On 6 November 2024, the ICO published the results of its consensual audit engagements with developers and providers of AI tools used in recruitment together with a series of recommendations for developers and recruiters. The ICO recognises the value of using AI in recruitment but also made a series of nearly 300 recommendations following the voluntary audit which are summarised in the report alongside key questions for procurers to ask themselves during the procurement process.

The ICO found areas requiring improvement in relation to processing of personal data in AI recruitment tools, including around concerns that some AI recruitment tools can:

• Lead to discrimination by allowing recruiters to filter out candidates with protected characteristics
• Infer characteristics such as gender and ethnicity from names rather than by asking candidates
• Scrape personal data from the tools and combine it with other data to create marketing databases
• Be insufficiently transparent.

The ICO is running a webinar on 22 January 2025 for AI developers and recruiters.

EDPB first report on EU-US DPF

Following the Commission's first annual review of the EU-US Data Privacy Framework, the EDPB adopted its own report on 4 November 2024. The EDPB recognises the steps taken by the US authorities and the EC to implement the DPF, both commercial and in terms of complaints and redress. The EDPB does however, suggest the US authorities develop guidance on data transfer requirements and human resources data. It also recommends the authorities monitor the compliance of DPF-certified organisations more closely. The EDPB underlines that safeguards around access to EU personal data by law enforcement authorities need to be implemented effectively, and says the Commission monitor future developments.  The EDPB recommends the next review of the EU-US adequacy decision take place within three years.

The end of the 'Traffic Light' Coalition and the impact on upcoming digital legislation

Germany is likely to have a new government soon. On November 6, 2024, the so-called Traffic Light Coalition collapsed, possibly leading to new elections in March 2025. While Chancellor Scholz announced that certain key legislative proposals will be seen through, he did not mention any from the digital sector. Without enactment, many of these initiatives will lapse. We summarise the likely consequences for upcoming initiatives. See here for more.

ICO report on genomics and data protection

On 7 November 2024, the ICO published a report on genomics and data protection concerns. The ICO raises concerns around third party data, inappropriate bias, data security and data minimisation. It calls for developers to take a privacy by design approach and join the regulatory sandbox.  The report is part of the ICO's Tech Futures series.

CPO against Meta to proceed

On 1 November 2024, the Court of Appeal refused an application by Meta to reverse the judgment of the Competition Appeal Tribunal which granted a revised application for a collective proceedings order submitted by Dr Lovdhahl Gormsen. The CPO claims Meta abused its dominant position impacting UK Facebook users, by using their personal. data for commercial purposes without their consent. The Court of Appeal held that Meta's concerns could be heard at trial and did not mean the central case was not arguable.

Joint European supervisory Authority guidance on DORA

The European Supervisory Authorities, the EA, ESMA and Eiopa (ESAs), published joint guidelines on the oversight cooperation and information exchange between the ESAs and the competent authorities under DORA on 6 November 2024. The guidelines apply from 17 January 2025.

ENISA consultation on technical guidance for NIS2 Implementing Act

On 7 November 2024, ENISA published a consultation on technical guidance for the cybersecurity measures of the NIS2 Implementing Act. The guidance will support Member States and government entities with compliance and will provide advice as to what to consider when implementing a requirement and how to assess whether a requirement has been met. It also provides tables mapping security requirements in the Implementing Regulation to European and international standards as well as national frameworks. The consultation closes on 9 December 2024.

ABI and Lloyds guide on defining a major cyber event

On 7 November 2024, the Association of British Insurers (ABI) and Lloyds of London published a guide for insurers and reinsurers on how to define a "major cyber event". The guide will be useful for organisations with cyber insurance to help them understand the notification and mitigation process when experiencing a cyber event.

Which? Says some air fryers are transferring personal data

Consumer protection magazine Which? Carried out tests on a number of connected devices and found that some, including air fryers and smart watches, processed excessive amounts of personal data. Which? particularly highlighted its finding that three air fryers which asked for permission to record audio on the user's phone through a connected app, were then transferring personal data to China and/or connecting to trackers. The ICO said the tests "show that many products not only fail to meet our expectations for data protection but also consumer expectations". The ICO is currently working on guidance for manufacturers of smart products.

News as at 6 November 2024

ICO publishes response to Data (Use and Access) Bill

On 1 November, the House of Lords Library published a research briefing on the Data (Use and Access) Bill (DUA). Shortly afterwards, the ICO published its response to the Bill. The ICO welcomes the Bill as "a positive package of reforms". With respect to data protection reform, the ICO welcomes the removal of provisions in the DPDI Bill requiring it to follow a statement of strategic priorities. The ICO concludes that the data protection changes are "pragmatic and proportionate" and welcomes the government's renewed commitment to maintaining adequacy. The ICO's own view is that "the proposed changes in the Bill strike a positive balance and should not present a risk to the UK's adequacy statement". The ICO does make a number of technical suggestions to improve clarity.

Global Privacy Assembly follow-up statement on unlawful data scraping

The ICO, together with 16 other DPAs working as part of the Global Privacy Assembly International Enforcement Cooperation Working Group, published a follow-up joint statement on protecting data from unlawful data scraping on 28 October 2024.

The initial joint statement published in August 2023, set out key privacy risks associated with data scraping. The follow-up statement has been published as a result of engagement with the largest social media companies. It sets out further expectations including that organisations:

• Comply with privacy and data protection law when using personal information including from their own platforms to develop AI LLMs
• Deploy a combination of safeguarding measures and regularly review and update them to keep pace with advances in scraping techniques and technologies
• Ensure permissible data scraping for commercial or socially beneficial purposes is done lawfully and in accordance with strict contractual terms.

The ICO said there had been positive steps made by social media companies to implement many of the measures identified in the initial statement but additional ones suggested in the follow-up statement include:

• Using platform design elements which make it harder to scrape data using automation
• Safeguards that leverage AI
• Lower cost solutions for SMEs.

ICO statement on work to protect children online

On 29 October 2024, the ICO published a statement on its work to protect children online following research which showed that for many children, data is their only currency and they see giving it to apps and services to help them socialise as a necessary exchange. Children are generally unaware of how their data is used and the research found that platform design can exacerbate this and make it difficult for children to make informed privacy decisions. The ICO says it expects to provide further updates on its Children's Code Strategy once requested information from 11 companies has been submitted and analysed.

ICO recommendations for communicating with empathy after a data breach 

On 1 November 2024, the ICO published new guidance to help organisations communicate with empathy after a data breach. This reminds organisations that data breaches have an impact on real people. Research conducted by the ICO suggests nearly 30m people in the UK have experienced data breaches and 30% of those suffered emotional distress as a result. At the same time, 25% of affected individuals said they had not received support from the responsible organisations and 32% discovered the breach had occurred due to media reports.

ICO applies to appeal overturns of its Clearview AI and DSG decisions

On 25 October 2024, the ICO applied to the Upper Tribunal for permission to appeal a First-Tier Tribunal (FTT) decision which overturned the ICO's fine and data processing ban on Clearview AI in 2022. The ICO had fined Clearview £7.5m for scraping the internet for images to train its image recognition system without the consent of data subjects. The ICO also banned Clearview from processing UK personal data. The ICO's decision was overturned in October 2023 on the basis that it did not have jurisdiction to enforce against a US-based company supplying services to foreign law enforcement agencies, and the ICO was refused permission to appeal in December 2023. That decision was not, however, communicated to the ICO until September 2024. The ICO has now applied directly to the Upper Tribunal for permission to appeal the FTT decision. The ICO says he considers "the Tribunal incorrectly interpreted the law when finding Clearview's processing fell outside the reach of UK data protection law on the basis that it provided its services to foreign law enforcement agencies. The commissioner's view is that Clearview itself was not processing for foreign law enforcement purposes and should not be shielded from the scope of UK law on that basis".

Separately, the ICO announced on 4 November 2024, that it was seeking leave to appeal the judgment of the Upper Tribunal relating to DSG Retail Limited in the Court of Appeal. DSG was fined £500k (reduced under appeal to £250k) under the Data Protection Act 1998 in relation to a cyber breach which affected 14m people. DSG was given permission to appeal, first to the FTT and then to the Upper Tribunal which allowed the appeal and remitted the case to the FTT to be re-decided in 2024. The ICO considers the Tribunal interpreted the law incorrectly in finding that an organisation is not required to take appropriate measures against unauthorised or unlawful processing of data by a third party where the data is personal data in the hands of the controller but not in the hands of the third party.

IAB Tech Lab releases Global Privacy Platform Implementation Guidelines for comment

On 29 October 2024, US-based global digital advertising standards body, IAB Tech Lab, announced the release of its Global Privacy Platform (GPP) Implementation Guidelines for consultation. The comment period will end on 16 December 2024. IAB Tech Lab developed the GPP intending it to help participants in the digital advertising ecosystem comply with privacy regulations across multiple regimes. The implementation guidelines are resources to help product and engineering teams adopt the GPP and comply with GDPR, US state laws and other privacy regulations.

News as at 31 October 2024

Data (Use and Access) Bill published

The Data (Use and Access) Bill was published and received its first reading in the House of Lords on 23 October 2024. In case you missed last week's update, read our initial reactions here.

Meta to resume use of facial recognition on Facebook and Instagram

Three years ago, Meta announced it would cease using facial recognition technology for tagging purposes on Facebook in light of privacy concerns. On 21 October 2024, however, it said it was planning to start using facial recognition again to verify user identity, help recover hacked accounts and detect and block some types of scam ads. Interestingly, Meta said it would not be testing facial recognition for identity verification purposes in the EU, UK and in the US states of Texas and Illinois, jurisdictions in which Meta is continuing to have conversations there with regulators.

Irish DPC fines LinkedIn €310m for GDPR breaches

On 24 October 2024, the Irish DPC announced its final decision to fine LinkedIn €310m for GDPR failings relating to the processing of personal data for behavioural analysis and targeted advertising. The DPC investigated the complaint as lead regulator following a referral from the CNIL and under the Article 60 GDPR procedure. The DPC found that LinkedIn had failed to process the personal data fairly and lawfully as it had not validly relied on either consent, legitimate interests or contractual necessity. It also failed to comply with information provision requirements.

NOYB files complaint against Pinterest

On 22 October 2024, NOYB filed a complaint with the French DPA, the CNIL, against Pinterest. NOYB alleges that Pinterest wrongly relies on legitimate interests despite the Bundeskartellamt ECJ judgment to process personal data for tracking and behavioural advertising processes. It also says personalised advertising is turned on by default, consent is not obtained to tracking, and Pinterest does not provide sufficient information about the categories of personal data it shares with third parties. NOYB is asking that Pinterest erase data processed for personalised ads and asks the CNIL to impose a fine.

CPCA working on privacy certification for digital advertising with ICO involvement

On 9 October 2024, the Coalition for Privacy Compliance in Advertising (CPCA) announced it is working with the ICO to try and develop an ICO-approved privacy certification for digital advertising technology which is compliant with ICO guidelines. Industry groups including the Incorporated Society of British Advertisers and the Association of Online Publishers are also set to get involved. CPCA hopes to launch the certification in 2025 and intends it will work with European initiatives.

News as at 23 October 2024

UK's new data Bill expected imminently

The UK's Digital Information and Smart Data Bill, announced in the July 2024 King's Speech, is expected to be published later this week or early next week, possibly under a different name. In the background briefing notes to the King's Speech, the government said the Bill would aim to harness the power of data for economic growth. Among other things, the briefing notes suggested it would establish digital verification services, a national underground asset register, and smart data schemes which allow secure sharing of customer data with authorised third party providers. It would also preserve many of the reforms to the ICO's governance structure proposed under the Data Protection and Digital Information Bill (which did not pass before the general election) and would include “targeted reforms to some data laws….where there is currently a lack of clarity”. No specific mention of the GDPR was made but after recent talks between Technology Secretary Peter Kyle and EU Justice Minister Didier Reynders, Reynders tweeted that they had both acknowledge the importance of the UK maintaining EU adequacy. Rumours are that the focus of the Bill will shift from UK GDPR reform to data sharing and digital IDs and the government has already said it will cover patient accessibility to their medical records via the NHS app. Watch this space!

EDPB guidelines on Technical Scope of Article 5(3) ePrivacy Directive

On 16 October 2024, the EDPB published its final guidelines on the Technical Scope of Article 5(3) ePrivacy Directive. The guidelines analyse what is covered (beyond cookies) by the ePrivacy Directive wording "to store information or to gain access to information stored in the terminal equipment of a subscriber or user". They state that there are three main criteria which, if satisfied, will mean the technology is in scope:

• Criterion A: the operations carried out relate to "information" (not necessarily personal data, but information more widely)
• Criterion B: the operations carried out involve a "terminal equipment" of a subscriber or user which imply the need to assess the notion of a "public communications network"
• Criterion C: the operations caried out constitute "storage" or a "gaining of access". These notions can be analysed independently – they do not need to both take place within the same communication and do not have to be carried out by a single party.

The guidelines do not cover exemptions to the consent requirement but they do look at specific use cases and technologies including URL and pixel tracking, local processing, tracking based solely on IP addresses and intermittent and mediated IoT reporting.

European Commission adopts Implementing Act under NIS2 Directive

On 17 October 2024, the European Commission announced the adoption of an Implementing Act under the NIS2 Directive. The Act sets out cyber security risk management measures and the cases in which an incident should be considered significant and therefore reportable. The Regulation will apply to specific categories of companies providing digital services, covering: TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service and security providers, online marketplaces, online search engines, social networking platforms and trust service providers. The Regulation will be published in the Official Journal shortly and will come into force 20 days after that.

Member States were supposed to have introduced implementing legislation for the NIS2 Directive by 18 October, although many have not done so.

NCSC publishes updated guidelines on multi-factor authentication

The UK's National Cyber Security Centre published updated guidelines on multi-factor authentication (MFA) on 9 October 2024. The guidance sets out the strengths and weaknesses of different ways of implementing MFA. While the NCSC says authenticating users to cloud-based corporate services using just a password is insufficient to protect sensitive data, it also suggests only prompting for authentication or MFA when it makes a difference.

News as at 17 October 2024

Council adopts Cyber Resilience Act

On 10 October 2024, the Council of the EU adopted the Cyber Resilience Act (CRA), a Regulation on cybersecurity requirements for products with digital elements. The CRA will sit alongside other EU cyber security legislation and will focus on filling in gaps relating to connected products. The CRA will now be published in the Official Journal and will apply three years after its entry into force (subject to some exceptions which will apply earlier).

EDPB picks right to erasure for next coordinated enforcement action

The EDPB announced on 7 October 2024, that its fourth Coordinated Enforcement Action will focus on implementation of the right to erasure by data controllers. Data Protection Authorities can join the action on a voluntary basis and the action will be launched in the first half of 2025. In early 2025, the results of the current enforcement action on the right of access will be adopted.

The EDPB also adopted its 2024-25 Work Programme. This is based on the 2024-2027 strategy adopted in April 2024 and is the first one of two work programmes which will implement the strategy. The Work Programme outlines an array of opinions and guidelines which the EDPB intends to publish, as well as various initiatives to enhance regulatory cooperation in the EU and international cooperation on data privacy issues.

European Commission report on first review of EU-US DPF

On 9 October 2024 the European Commission published a report following its first review of the adequacy decision for the EU-US Data Privacy Framework (DPF). The Commission has concluded that the US authorities have put in place all the necessary structures and procedures to ensure the DPF functions effectively. This includes suitable redress mechanisms, and safeguards to ensure that access to EU personal data by intelligence authorities is limited to what is necessary and proportionate. The Commission did, however, recommend that in order to ensure continued and effective functioning of the DPF:

• The Department of Commerce should make fuller use of the different tools provided in the DPF to monitor compliance by companies with the Principles and the detection of false claims of participation in the DPF
• The FTC should further develop its proactive approach to the investigation and enforcement of compliance by certified companies with the DPF Principles, and
• The DoC, FTC and EU data protection authorities should develop common guidance instruments on key requirements under the DPF Principles eg on HR data and onward transfers.

On the basis of this review, the Commission says its next review will be in three years' time.

EDPB adopts Opinion on reliance on processors and sub-processors

On 9 October 2024, the European Data Protection Board (EDPB) adopted an Opinion on certain obligations following from the reliance on processor(s) and sub-processor(s) following an Article 64(2) GDPR request by the Danish SA.

The Opinion covers situations where controllers rely on one or more processor and sub-processor. It focuses on eight questions dealing with the interpretation of certain controller duties when they rely on processors and sub-processors, and looks at the wording of controller-processor contracts particularly where it fulfils Article 28 requirements.

The EDPB says controllers should have the identity information (i.e. name, address, contact person) of all processors and sub-processors readily available at all times so that they can best fulfil their obligations under Article 28. In addition, the controller’s obligation to verify whether the (sub-)processors present "sufficient guarantees" should apply regardless of the risk to the rights and freedoms of data subjects, although the extent of such verification may vary according to the level of risk associated with the processing.

The Opinion also makes clear that while the initial processor should ensure it proposes sub-processors with sufficient guarantees, the ultimate decision and responsibility for engaging a specific sub-processor rests with the controller.

The EDPB considers that under the GDPR the controller does not have a duty to systematically ask for the sub-processing contracts to check whether data protection obligations have been passed down the processing chain. The controller should assess whether requesting a copy of such contracts or reviewing them is necessary for it to be able to demonstrate compliance with the GDPR.

EDPB Statement on draft Regulation for GDPR enforcement

On 9 October 2024, the EDPB adopted a Statement on amendments made by the European Parliament and Council to the draft Regulation on additional procedural rules relating to GDPR enforcement. The Statement broadly welcomes the modifications but recommends addressing further elements. In particular, the EDPB reiterates the need for a legal basis and a harmonised procedure for amicable settlements. It also warns that the introduction of a joint case file, as proposed by the European Parliament, would require complex changes to the document management and communication systems used at European and national levels.

EDPB to run stakeholder event on AI models on 5 November 2024

The EDPB is inviting stakeholders to an event on AI models on 5 November 2024. Individuals representing European sector associations, organisations, NGOs, companies, law firms and academics, are invited to take part. One representative per organisation will be admitted on a first come first served basis but the EDPB reserves the rights to give precedence to specific stakeholders who have expressed an interest in participating to ensure relevant expertise and diversity of views.

G7 DPAs look at closer cooperation

Following a roundtable meeting on 10 and 11 October 2024 of the G7 data protection authorities, the Canadian DPA published a communiqué setting out three pillars of focus for cooperation – data transfers, emerging technologies such as AI, and bilateral and multilateral enforcement actions.

Investigatory Powers (Amendment) Act 2024 (Commencement No 1 and Transitional Provisions) Regulations 2024

The Investigatory Powers (Amendment) Act 2024 (Commencement No 1 and Transitional Provisions) Regulations 2024, were made on 10 October 2024 and brought in a number of provisions of the Investigatory Powers (Amendment) Act 2024 on 14 October. These include ss 1-7, 19-23, 25-29. Regulation 3 sets out transitional provisions for communications data retention notices issued under s87 of the 2016 Act and takes effect immediately. Regulation 4 makes transitional provisions with respect to national security and technical capability notices.

ICO report on quantum technologies and data protection

On 9 October 2024, the ICO published a blog launching its report ICO tech futures: quantum technologies. This looks at emerging possibilities for quantum technologies involving personal data and at the implications for privacy. In particular, the ICO looks at the potential of quantum technology to break encryption. Its main approach to addressing the risk is NCSC-endorsed post-quantum cryptography. The ICO recommends large organisations begin preparing for the transition now by identifying and reviewing at-risk information, systems and cryptography. Maintaining current cyber hygiene is considered a good start.

AI and cyber security

Andi Terziu looks at the key themes discussed by our panel on AI and Cyber issues during our recent Cyber Strategy Seminar.

News as at 9 October 2024

ICO launches new audit framework

The ICO has launched a new audit framework to help organisations assess their compliance with data protection law. Using the framework will not guarantee that an organisation will meet all data protection requirements as every organisation is different but it covers the range of areas the ICO looks at when assessing an organisation's compliance to conduct consensual and compulsory audits. The framework is targeted at larger businesses and organisations in the public, private and third sectors. It is not aimed at SMEs which should use the self-assessment toolkit and other resources. It is an extension of the Accountability Framework and contains nine toolkits covering different key areas including AI and age-appropriate design.

ICO fines Police Service of Northern Ireland £750,000

The ICO confirmed on 3 October 2024, that it is fining the Police Service of Northern Ireland £750,000 after it disclosed employee records including surnames, initials, ranks and roles of 9,483 employees in response to a freedom of information request. The data was uploaded to a website and made available for around three hours. It was presumed by the Police to have fallen into the hands of dissident republicans who would use the data to create fear and uncertainty and to intimidate. The ICO said that the fine would have been £5.6m had it not taken into account the fact that it was being imposed on a public organisation.

Many Member States behind on NIS2 implementing legislation

Many EU Member States look set to miss the deadline for passing NIS2 implementing legislation on 14 October 2024. As a result, the Commission may pass an implementing Act and is, according to Euractiv, considering how it would define what constitutes a "significant incident" which would need to be quickly reported to authorities. The latest draft proposes that an incident which leads to harm to a person's health or causes financial losses of over €500,000 or 5% of a company's total annual turnover would be considered "significant". The Act also suggests that businesses suffering an incident which is suspected to be the result of malicious actions will need to report the incident where the incident affects 5% or more of the total EU users of cloud computing and content delivery network providers, online marketplaces, search engines, social networking platforms and managed security service providers.

Social networks cannot use all personal data they process for targeted advertising

On 4 October 2024, the ECJ handed down judgment in a reference from Austria in a case brought by Max Schrems who complained that personal data relating to his sexual orientation had been processed unlawfully by Meta to send him advertising targeted at homosexuals. He argued this was done without his consent or under any other lawful basis. Schrems claimed the advertisements were not based directly on his sexual orientation but on an analysis of his particular interests. He brought an action in the Austrian courts and subsequently referred publicly to his homosexuality during a panel discussion but did not publish this information on Facebook. 

The Austrian Supreme Court asked the ECJ whether:

• a network such as Facebook may analyse and process all the personal data available to it without restriction as to time for the purposes of targeted advertising, and
• whether a statement made by a person about their sexual orientation as part of a panel discussion permits the processing of other data concerning that topic for the purposes of offering them targeted advertising. 

The ECJ said:

• The GDPR principle of data minimisation precludes all personal data obtained by a controller from being aggregated, analysed and processed for the purposes of targeted advertising without restriction as to time and without distinction as to the type of data.
• The fact that Mr Schrems made a statement concerning his own sexual orientation during a public panel discussion may constitute an act by which he "manifestly made public" the information, thereby negating the prohibition on processing special data although it will be for the national court to decide, but making the data public does not in itself permit its processing for the purposes of personalised advertising. 

ECJ judgment relating to cause of action and nature of health data

On 4 October 2024, the ECJ ruled in the Lindenapotheke (Case C-21/23) – a reference from Germany. The German court asked whether the GDPR precluded a competitor bringing a case against it for breach of the GDPR under unfair commercial practices legislation. In this case, a competitor of an online pharmacy selling pharmacy-only non-prescription products on Amazon Marketplace, brought an action seeking an order that the pharmacy cease activity unless it could guarantee that consumers could give prior consent to the processing of health data. The ECJ was asked to decide whether the GDPR precluded this action and also whether the data in question was health data and required an Article 9 exemption from the general prohibition on its processing. The ECJ held that the GDPR did not preclude this kind of action and indeed, such action strengthened data protection. It also said that even where products were sold without requiring a prescription, the data which users were required to enter before purchasing was health data.

ECJ underlines that purely commercial interests can be legitimate

On 4 October 2024, the ECJ ruled in a reference from the Netherlands regarding the Royal Lawn Tennis Association (KNLTB). The KNLTB had disclosed member personal data to be used for marketing purposes. The Dutch Supervisory Authority (AP) fined the KNLTB for breaching GDPR and, in particular, for not having a lawful basis for the processing at issue. The AP said for the purposes of Article 6(1), legitimate interests are only those enshrined in and determined by law. The referring court then asked the ECJ how to interpret what constitutes a legitimate interest. In short, the ECJ underlined that a legitimate interest can be purely commercial provided it is lawful but the interest does not need to be determined by law. The processing needs to be necessary to fulfil the purpose and a legitimate interest assessment must be carried to determine that the interests of the controller are not overridden by the rights and freedoms of the data subjects.

EDPB publishes draft guidelines on legitimate interests for consultation

On 8 October 2024, the EDPB published draft guidelines on Article 6(1)(f) GDPR – the lawful basis of legitimate interests – for consultation. The draft guidelines:

• set out the process for determining the applicability of Article 6(1)(f) as a lawful basis including how to carry out the three step cumulative assessment and a Legitimate Interests Assessment, setting out factors to consider when doing so
• discuss the relationship between Article 6(1)(f) and data subject rights
• look at how to assess whether Article 6(1)(f) applies in specific contexts including processing children's data, processing for direct marketing and prevention of fraud.

News as at 3 October 2024

New UK cyber security legislation confirmed for 2025

In the July King's Speech, the government announced it would introduce a new Cyber Security and Resilience Bill. This is intended to strengthen defences and protect digital services, including by:

• Expanding the remit of the existing regulation to protect a wider range of digital devices and supply chains
• Enhancing regulator powers and resources
• Introducing increased incident reporting requirements.

The government has now confirmed that the new legislation will be introduced to Parliament in 2025 rather than this year and is likely to be subject to prior consultation.

ICO response to Ofcom consultation on illegal harms

The ICO has published its response to Ofcom's consultation on illegal harms. Confining itself to areas with an impact on the ICO's remit, the ICO makes a number of points around alignment with UK data protection law and clarity including:

• Content moderation – the ICO has no objection to the proposed content moderation measures in principle but says it does not agree that there is minimal impact on privacy when carrying out automated scanning. The ICO recommends the measures be expanded to refer to data protection requirements including transparency, purpose limitation, data minimisation, accuracy and Article 22 requirements. Services should be required to take into account the importance of minimising incorrect reports of CSEA material when configuring accuracy settings and deciding how much material is appropriate for human review.

• Guidance on content communicated privately and publicly – the ICO says the illegal harms guidance does not provide sufficient regulator certainty to enable services to understand whether content is communicated privately or publicly, and that this may incentivise services to assess the issue inappropriately. The ICO says that where a service has conducted a genuine assessment and failed to reach a conclusion, the default should be that the content is communicated privately in line with the wider duty to avoid data breaches during OSA compliance.

• Risk assessment guidance – the ICO is concerned that Ofcom's approach could deter services from using end-to-end encryption because it is too risky under the OSA. The ICO would like Ofcom's guidance to make it clear that the online safety regime does not prohibit or restrict the use of end-to-end encryption and that the emphasis should be on requiring safeguards to ensure risks are managed appropriately.

• Data minimisation – the ICO is concerned there may be a lack of clarity about what personal data is needed to comply with Ofcom's guidance. It suggests Ofcom make clear that data minimisation is important and ensure services are not incentivised to process more personal data than necessary in order to comply with the online safety regime.

Irish DPC fines Meta EUR 91m for security failings

On 27 September 2024, the Irish Data Protection Commissioner announced it had issued a reprimand and a EUR 91m fine to Meta for security failings relating to the storage of passwords in plain text. The Irish DPC found not only that Meta had failed to notify it of a data breach and to document data breaches concerning the storage of passwords in plain text, but it had not used appropriate technical or organisational measures to protect the passwords against unauthorised measures and use a level of security appropriate to the risk. The decision, which will be published in full shortly, was reached following an Article 60 procedure.

ECJ holds SAs not obliged to exercise corrective powers

The ECJ has ruled in a reference from Germany, that Supervisory Authorities (SAs) have discretion as to whether or not to exercise corrective powers where a controller has already taken steps to remediate an issue. This particular case related to a minor data breach by an employee at a bank. The affected customer argued that the relevant SA should have fined the bank. The ECJ held that:

• An SA is not required to exercise a corrective power (particularly a fine) where to do so would not be appropriate, necessary and proportionate.
• The SA is required to exercise one or more of its corrective powers where it is appropriate, necessary and proportionate.

News as at 26 September 2024

LinkedIn to pause use of UK data to train generative AI

LinkedIn has said it will pause the use of UK personal data to train generative AI models as a result of concerns raised by the ICO and pending further engagement. The ICO has welcomed the announcement but says it will continue to monitor major developers of generative AI.

EHRC guidance on Public Sector Equality Duty and data protection

The Equality and Human Rights Commission published guidance on the Public Sector Equality Duty and data protection on 12 September 2024. The guidance analyses the relationship between s149 Equality Act 2010 and data protection legislation. It advises public authorities on how to collect and process equality information in a data protection compliant manner and sets out best practice.

Instagram introduces teen accounts

On 17 September, Instagram announced the introduction of Instagram Teen Accounts to provide greater privacy by default. Teen accounts will limit who can contact teens and the content they see. Teens will automatically be given teen accounts and those under 16 will require parental permission to change default settings. Teens will also get access to a new feature which allows them to select types of content they want to see more of and receive notifications suggesting they leave their devices after 60 minutes each day. Sleep mode will be activated between 10pm and 7am which will automatically mute notifications. Online safety campaigners say the controls are easy to circumvent. The ICO has reminded platforms that under the Children's Code, settings must be high privacy by default. Ofcom has said that Instagram's measures are a "step in the right direction" in terms of online safety compliance but warns that it won't hesitate to take enforcement action against any company falling short of its obligations under the Online Safety Act once safety duties come into force early next year.

News as at 18 September 2024

Data centres classified as Critical National Infrastructure

On 12 September 2024, the government announced that data centres will be designated as Critical National Infrastructure (CNI). This will allow the government to support the sector in the event of critical incidents, minimising their effect on the economy. There will be a dedicated CNI data infrastructure team which will monitor and anticipate potential threats and provide prioritised access to security agencies and emergency services. The government also announced potential investment by DC01UK of £3.75 billion in UK data centres which follows the announcement of an £8 billion investment by Amazon over five years in data centres in the UK.

Meta to resume training AI using UK data

In June 2024, Meta paused its use of EU and UK personal data on Facebook and Instagram to train generative AI. While it has undertaken to make this pause permanent in the EU, it will resume these activities in the UK after having made changes to the process including simplifying user opt out and giving users longer to do so. The ICO says it will monitor the situation as Meta begins informing users and is clear that it has not provided regulatory approval for the processing. It says it is now up to Meta to "ensure and demonstrate ongoing compliance".

Separately, in order to comply with its obligations under the Digital Markets Act, Meta has announced major changes to WhatsApp and Messenger to enable interoperability with third-party messaging services. As part of this it will notify EU users when a new third-party messaging service becomes interoperable and give users the choice between receiving all messages in a single inbox or keeping them separate.

EC to consult on legislation to update SCCs

The EC has announced plans to consult on draft legislation to update Standard Contractual Clauses. The consultation is likely to take place before the end of this year and changes are expected to be finalised in the second quarter of 2025.

ICO and NCA sign MoU

The ICO and the National Crime Agency have signed a Memorandum of Understanding setting out how they will help UK organisations become more resilient to cybercrime and share information. They aim to improve standards in cyber security and avoid duplication of effort while sharing information and experience with each other and the public. The ICO has a similar MoU with the National Cyber Security Centre.

EDPB and EC to produce guidance on interaction of GDPR and DMA

The EDPB announced on 10 September 2024, that it will work with the European Commission to produce guidance on how gatekeepers under the Digital Markets Act can comply with the GDPR and align their obligations.

Irish DPC launches inquiry into Google's AI practices

On 12 September 2024, the Irish DPC announced it had begun a cross-border statutory inquiry into Google's AI practices under s110 of the Data Protection Act 2018. The inquiry looks at whether Google has complied with requirements to carry out a Data Protection Impact Assessment before using EU/EEA personal data to train its AI model Pathways Language Model 2 (PaLM2).

EC publishes Data Act FAQs

The European Commission published FAQs on the Data Act on 6 September 2024. These have been compiled with input from a variety of stakeholders and are intended to support implementation of the Act which will apply from 12 September 2025.

ICO issues reprimand to Sky Betting and Gaming for cookie consent failings

On 17 September 2024, the ICO issued a reprimand to Bonne Terre Limited trading as Sky Betting and Gaming (SkyBet), over its unlawful processing of personal data by using advertising cookies without user consent. The ICO said SkyBet was sharing personal data with adtech companies when they accessed the SkyBet website before users were given a chance to accept or reject advertising cookies. The ICO found no evidence of deliberate misuse but concluded the processing was not lawful, transparent or fair. SkyBet made changes to its cookie practices in March 2023 as a result of the ICO's investigation. The ICO will be publishing guidance on cookies and similar tracking technologies for consultation alongside its position on the consent or pay model later this year.

News as at 11 September 2024

Irish DPC concludes proceedings against X relating to its AI tool

On 4 September, the Irish DPC announced that it had concluded the proceedings it had brought before the Irish High Court regarding X's use of EU/EEA data to train its AI tool Grok. The proceedings were struck out after X agreed to extend its commitment not to process EU/EEA personal data to train Grok on a permanent basis. 

The DPC has made a request to the EDPB for an Article 64(2) opinion on some of the core issues arising in the context of using personal data to develop and train AI.

CMA publishes statement of objections regarding Google's adtech practices

On 6 September, the CMA published a statement of objections setting out how Google may have broken competition law by using its dominance to favour its own adtech services in open-display advertising. The CMA's provisional findings are that Google has abused its dominant position on both the ad server (DoubleClick for Publishers or DFP), and the buying tool (Google Ads and DV360) side to restrict competition in the UK. In particular, it has preferenced its own ad exchange (AdX), harming competition and advertisers and publishers. The CMA finds that since 2015, Google has used its buying tools and publisher ad server to strengthen AdX's position and restrict competitor opportunities. It has also prevented rival publisher ad servers form being able to compete effectively with DFP. 

Practices singled out include:

• providing AdX with exclusive or preferential access to advertisers that use Google Ads' platform
• manipulating advertiser bids so they have a higher value when submitted into AdX's auction than when submitted into rival exchanges' auctions
• allowing AdX to bid first in auctions run by DFP for advertising space.

The CMA will consider representations from Google before reaching a final decision. Google's adtech practices are also under scrutiny from competition regulators in the EU and USA.

Netherlands DPA fines Clearview AI EUR 30.5m

The Dutch DPA (the AP) is the latest regulator to fine Clearview AI regarding its processing of personal data for its image recognition database. It has issued a fine of EUR 30.5m and additional penalty payments for ongoing breaches. Clearview AI scraped images from the internet without consent to create its database. The AP warned that Clearview also fails to inform people about its data processing activities and does not respond to subject access requests. The AP is looking into whether the company's directors can be held personally liable for infringements and warns that it will act against Dutch organisations if they use Clearview.

Gatekeepers will need to segregate FIDA data

MLex reports that a compromise proposal for the text of the Financial Data Access Regulation suggests digital gatekeepers will be required to keep personal data obtained under FIDA, separate from other personal data they hold and will be prevented from combining it. Member States are hoping to agree a compromise text in the next few months.

EDPB to gather information on 'consent or pay' models

On 5 September 2024, the EDPB invited stakeholders to participate in a remote event on 18 November intended to gather information about 'consent or pay' models. This exercise will inform the upcoming guidelines on the issue. The guidelines will be an extension of EDPB Opinion 08/2024 which covers consent or pay in the context of large online platforms and will have broader application.

TfL suffers cyber attack

TfL limited access to some of its online services on becoming aware of a cyber attack on 8 September 2024. TfL said the attack mainly impacted its backroom systems at its corporate HQ but it had no reason to believe any personal data had been compromised. As a result of the attack, TfL limited live travel information services and restricted access to customer journey history for some customers. It has been working with the National Cyber Security Centre and the National Crime Agency in the course of investigating the incident. 

News as at 5 September 2024

EC reviews EU-US DPF as Switzerland agrees its own DPF

On 9 August 2024, the European Commission launched a call for evidence on the functioning of the EU-US Data Protection Framework. Feedback is invited by 9 September and will help the Commission assess whether all aspects of the DPF are in place and functioning as intended. The Commission has been collating information from a variety of sources and will produce a full report on the DPF.

Separately, Switzerland approved the Swiss-US Data Privacy Framework on 14 August 2024.

CMA accepts Meta's commitments on use of digital advertising data

The CMA announced on 20 August 2024, its decision to accept a variation of Meta's binding commitments to address competition concerns relating to its use of digital display advertising service data. Initially the commitments involved Meta using technical systems to prevent the use of competitor advertising data being used on Facebook Marketplace or to improve it. The technical solutions were applied to advertisers who had opted out of their data being used for such purposes or who had been opted out by Meta and had not objected. The variation allows the solution to cover all data from all advertising customers not just Facebook Marketplace's competitors. 

Call for evidence on final section of ICO generative AI guidance launched

The ICO published its fifth and final call for evidence on generative AI and data protection on 22 August 2024. Responses are required by 5pm on 18 September. The ICO sets out its thinking on the allocation of controllership across the AI supply chain with a focus on AI as a Service (AIaaS). While not going into specific detail on obligations, the ICO provides some indicative scenarios of processing activities. The ICO seeks evidence on additional processing activities and actors not included in this call alongside the relevant allocation of accountability roles and asks for a range of inputs on issues relating to controllership allocation and data processing in generative AI.

ICO launches privacy notice generator for small organisations and sole traders

On 20 August, the ICO launched a privacy notice generator tool for sole traders, start-ups, small organisations and charities to help them create bespoke privacy notices in a variety of sectors. These include finance, insurance, legal sectors, education, health and social care, retail and manufacturing.

UK consults on raising data protection fee

The ICO is partly funded by data protection fees which are payable by organisations which process personal data unless they do it for purposes which are exempt. The maximum fee is currently set at £2,900 and has not increased since it was introduced in 2018. The government is now consulting on raising the fee to a £3979 for tier 3 organisations with more than 250 staff or an annual turnover of over £36m. Tier 1 fee changes are proposed to rise from £40 to £55 and tier 2 from £60 to £82. The consultation closes on 26 September 2024.

Latest NOYB complaints

NOYB had a busy August. It:

• Filed eight complaints against X – these were filed with eight Supervisory Authorities after NOYB accused the Irish DPC of failing to tackle core issues around X's use of personal data. The complaints ask the SAs to investigate all X's data processing practices for GDPR compliance.

• Filed a court action against the Swedish SA­ – NOYB alleges that the Swedish SA has not complied with its obligations and "seems to forget it's an enforcement authority"

• Filed two complaints with the EDPS against the European Parliament – NOYB has lodged complaints on behalf of four European Parliament employees relating to the impact of a data breach of the EP's recruitment database in June 2024. The first complaint concerns the revelation of special personal data and the second, refusal to respond to an erasure request.

United Nations approves cybercrime convention text

On 9 August 2024, the UN agreed the wording of a draft convention on cybercrime which is expected to be adopted by the General Assembly by the end of the year. It will be the first legally binding instrument on cybercrime and is intended to enhance international cooperation, law enforcement efforts, technical assistance and capacity building. Commentators, including human rights groups and tech companies, are concerned that the language is sufficiently broad to allow authoritarian governments to crack down on opposition and abuse human rights.

Uber fined EUR 290m for data export failings

The Dutch Supervisory Authority has fined Uber EUR 290m relating to a complaint passed on to it by the French SA and brought by the French Human Rights League representing over 170 Uber drivers. Uber was held to have failed to sufficiently protect driver privacy when transferring their personal data from the EU to the USA. Uber was found to have transferred the data which included special category data, to the USA without using transfer tools for a period of two years from August 2021 until the end of 2023 when Uber began making transfers under the EU-US Data Protection Framework.

EU and China's Cross-Border Data Flow Communication Mechanism

On 27 August, the EU and China launched their first set of discussions under the new Cross-Border Data Flow Communication Mechanism. The mechanism will focus on practical solutions to address problems EU companies face in China regarding cross-border data flows. 

ICO reprimands Labour Party

On 28 August 2024, the ICO issued a reprimand to the Labour Party for repeatedly failing to respond to subject access requests. The Labour Party received 352 SARs in November 2022, partly as a result of a 2021 cyber attack. 78% had not received a response within the required three months, and 56% or responses were delayed by over a year. The ICO said it had received over 150 complaints about Labour's handling of SARs between November 2021 and 2022.

ICO report on challenges to adopting PETs

In August, the ICO published a report on tackling barriers to privacy-enhancing technologies (PETs) adoption. The report covers an analysis of the barriers and recommendations on how to overcome them, based on input from an ICO workshop on PETs.

News as at 13 August 2024

ICO provisionally fines data processor £6m

On 7 August 2024, the ICO announced its provisional decision to fine Advanced Computer Software Group Ltd £6.09m for failing to protect the information (which included sensitive data) of just over 80,000 people.  Advanced acts as a data processor in providing IT and software services to organisations including the NHS and other healthcare providers.  It suffered a ransomware attack in August 2022 via a customer account that did not have multi-factor authentication.  This led to the exfiltration of the personal data of 82,946 people and to disruption to critical services such as NHS 111 and access by medical staff to patient records.

The ICO will consider representations by Advanced before making a final decision.  If it does proceed with the fine, it will be the first major UK GDPR fine issued to a data processor.

ICO warns social media platforms and VSPs to do more on children's privacy

On 2 August 2024, the ICO wrote to 11 social media and video sharing platforms, calling on them to improve their children's privacy practices.  This follows on from the ICO's ongoing review of social media platforms and VSPs.  The 11 platforms are being asked to address questions relating to default privacy settings, geolocation and age assurance and explain how their practices comply with the Children's Code.

The ICO has also launched a call for interested stakeholders to share views and evidence on:

• how children's personal information is currently being used in recommender systems, and
• recent developments in the use of age assurance to identify children under 13.

The call closes on 11 October 2024.

UK government continues ongoing cyber security consultations

The new Labour government has said it wishes to continue with consultations launched by the previous government on:

• a draft code of practice for software vendors to improve software security and resilience
• cyber security of AI including a voluntary Code of Practice
• the future of the CyberFirst programme and how this can be scaled to inspire future talent.

Feedback is requested by 9 August 2024.

EDPS Model Administrative Arrangements for transfers of personal data from EU Institutions

On 31 July 2024, the EDPS published Model Administrative Arrangements for transfers of personal data from EU institutions to international organisations.  These are designed to help the institutions comply with relevant data protection law and place an emphasis on core data protection principles and required safeguards.

X suspends use of personal data to train AI tool

On 8 August 2024, X announced it was suspending processing personal data in publicly available tweets to train its AI tool Grok.  The decision was welcomed by the Irish DPC which had filed an application to suspend the service at the High Court following complaints by consumer protection groups.

News as at 30 July 2024

Meta's pay or consent model faces further scrutiny

The EU's Consumer Protection Cooperation Network (CPC) sent a letter to Meta on 22 July, with questions relating to a suspected breach of EU consumer law as a result of its pay or consent model in the EU for its Facebook and Instagram platforms.  The action is led by the French competition regulator and coordinated by the Commission.  The Commission is concerned that Meta uses misleading or aggressive practices and is insufficiently transparent when offering consumers the choice between paying for an ad free model and consenting to being tracked for advertising purposes.  This action is distinct from other ongoing investigations relating to the DMA, the DSA and the GDPR which also focus on Meta's pay or consent model.  Meta is required to respond and propose solutions by 1 September 2024.

Meanwhile, Meta was hit by a USD$220m fine in Nigeria for breaches of competition, consumer and data protection laws.

EC publishes second GDPR implementation report

The European Commission published its second report evaluating the GDPR on 25 July 2024.  The report found that the GDPR was fit for purpose but improvements could be made around enforcement.   In particular the GDPR Procedural Regulation would help but the report also emphasised the need for consistent approaches and cooperation between Member State regulators, both in relation to the GDPR itself, and in terms of its place in the wider digital regulatory framework.

CrowdStrike incident likely to cause huge insured losses

The impact of the CrowdStrike incident is likely to result in large insurance claims with estimates that US Fortune 500 companies alone would be likely to claim USD 5.4bn in insured damages.  CrowdStrike said at the weekend that 97% of affected systems are now back online.

ICO reprimands school for failure to conduct DPIA before using FRT

On 24 July 2024, the ICO issued a reprimand to a school which introduced facial recognition technology in its canteen without first conducting a DPIA as required under the UK GDPR.

News as at 24 July 2024

EDPB says DPAs best placed to regulate AI

The EDPB adopted a statement on the role of DPAs in the AI Act framework on 17 July 2024. The EDPB stresses that DPAs already have experience when dealing with the impact of AI on fundamental rights, in particular, regarding protection of personal data. It therefore recommends that the DPAs be designated as the Market Surveillance Authorities, which must be appointed by Member States by 2 August 2025. The AI Act itself recommends DPAs as MSAs for high-risk AI systems used for law enforcement, border management, administration of justice and democratic processes. The EDPB recommends they should also be MSAs for other high-risk systems and be designated as single points of contact. Appropriate governance and cooperation policies would be needed.

EU DPAs and the ICO have a track record of activity on AI. Most recently, on 18 July, the CNIL published guidance on how it would enforce aspects of the EU AI Act and how to deploy generative AI, and on the same date, the Irish DPC published guidance on the relationship between large language models and data protection. 

EDPB FAQs on EU-US Data Privacy Framework

On 17 July 2024, the EDPB published FAQs on the EU-US Data Privacy Framework (DPF) for individuals and businesses. The FAQs for individuals provide information on the functioning of the DPF – how to benefit from it, how to lodge complaints, and how complaints are handled. The business FAQs focus on which companies are eligible to sign up to the DPF and what to do before transferring personal data to DPF-certified organisations.

Warning that hacking may follow CrowdStrike bug

Chaos ensued on 19 July after CrowdStrike issued a faulty software update causing many devices using Microsoft Windows to crash. CrowdStrike said around 8.5m devices were impacted and it that been working on a technique to reboot systems more rapidly after warnings that full recovery could take weeks. CrowdStrike said the issue was not due to a cyber attack, however, in the aftermath, there are concerns that hackers may exploit the event by falsely claiming to represent CrowdStrike in order to get access to systems. 

Open Rights Group submits complaint to ICO about Meta's AI plans

The UK privacy advocacy group Open Rights Group (ORG) submitted a complaint to the ICO about Meta's proposed changes to its privacy policy on 15 July 2024. Meta said it would update its privacy policy to rely on legitimate interests to use personal data it processes to develop AI systems from 26 June. ORG's complaint follows a complaint by NOYB regarding similar proposals in the EU. Meta said it would pause the changes in the EU and, at the ICO's request, in the UK, however, the ORG says there has been no change to the policy itself. It calls on the ICO to issue a binding decision to prevent the processing of personal data to develop AI without consent, investigate the issue, and prohibit the use of personal data for undefined "artificial intelligence technology" without opt-in consent.

Google changes approach on phasing out third-party cookies

After concerns expressed by the CMA and the ICO, Google announced on 22 July 2024, that "instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing and they'd be able to adjust that choice at any time". It will continue to work on Privacy Sandbox APIs and to make them available in discussion with regulators and industry. Google has also said it will offer additional privacy controls by introducing IP Protection into Chrome's Incognito mode. The CMA has said it is "considering the impact of this announcement and welcomes views until 12 August". The ICO said: "We are disappointed that Google has changed its plans…we will reflect on this new course of action when more detail is available".

News as at 18 July 2024

New UK data, AI and cybersecurity legislation announced

The new Labour government set out its legislative agenda in the King's Speech to Parliament (and in background briefing notes) on 17 July 2024. In the speech itself, it announced it would "seek to establish the most appropriate legislation to place requirements on those working to develop the most powerful AI models” although no AI-specific Bill was listed in the briefing notes themselves. They did, however, list two important pieces of legislation not mentioned in the speech:

Digital Information and Smart Data Bill - this aims to harness the power of data for economic growth. Among other things, it will establish digital verification services, a national underground asset register, and smart data schemes which allow secure sharing of customer data with authorised third party providers. It will also preserve many of the reforms to the ICO's governance structure proposed under the Data Protection and Digital Information Bill (which did not pass before the general election) and will include “targeted reforms to some data laws….where there is currently a lack of clarity”.  No specific mention of the GDPR is made.  Suggestions are that the new Bill will drop some of the more controversial elements of its predecessor and make fewer changes to the UK GDPR.

Cyber Security and Resilience Bill - to protect public services and infrastructure by expanding the remit of existing regulation, putting regulators on a stronger footing and increasing reporting requirements. This is widely expected to bring the current NIS Regulations more in line with the EU's NIS2 Directive.

AI Act published in OJ

The EU's AI Act was published in the Official Journal on 12 July 2024 and will come into force on 1 August 2024 with compliance phased in over a three-year period. Hailed by the EU as a global first, the AI Act is the most comprehensive attempt to regulate the use of AI to date. It takes a risk-based approach to AI, aiming to strike a balance between innovation and regulation while protecting fundamental rights.  See here for more.

GPEN and ICPEN privacy sweep finds vast majority use dark patterns

On 9 July 2024, the Global Privacy Enforcement Network (GPEN) comprising 26 international data protection authorities, and the International Consumer Protection and Enforcement Network (ICPEN) announced the results of a global privacy sweep of over 1000 websites and apps.  They found that the vast majority used at least one deceptive design practice and that over 75% of subscription services across the 26 countries used dark patterns in their advertising.

ICO to publish IoT guidance in late 2024/early 2025

The UK ICO held a roundtable on IoT products on 11 July focusing on products like smart meters and fitness devices. It plans to produce draft IoT guidance for consultation towards the end of this year or in early 2025.

NOYB files complaint against ad broker Xandr

NOYB filed a complaint with the Garante against Microsoft-owned ad broker Xandr on 9 July 2024.  NOYB alleges Xandr does not comply with GDPR transparency requirements in its use of personal data for targeted advertising, particularly as regards special data.  Its website states that it did not fulfil any erasure or access requests in 2022, and it refused to comply with an access and erasure request made in February 2024, saying it was unable to identify the data subject, despite having set a cookie on the individual's device used to target advertising to them, the value of which had been presented to Xandr. 

NOYB consent banner report

NOYB published a report on 11 July 2024, analysing decisions taken by national data protection regulators relating to cookie consent banners, and comparing them with the position taken by the EDPB's cookie banner taskforce.  The report is intended as a useful resource for businesses implementing consent banners on their websites and is intended to spark further discussion about deceptive practices and how to avoid them. 

News as at 11 July 2024

EU-Japan cross-border data deal now in force

The EU-Japan Economic Partnership Agreement (EPA)came into force on 1 February 2019.  On October 2023, the EU and Japan negotiated an agreement on cross-border data flows.  This was ratified and entered into force on 1 July, now forming part of the EPA.  It provides for the free flow of data (not just personal data) between the EU and Japan and removes data localisation requirements among other things.

EC consults on NIS2 Implementing Regulation

The European Commission launched a consultation on a draft Implementing Regulation (IR) under the NIS2 Directive on 27 June 2024.  The IR will set out details relating to Article 23(3) of the NIS2 Directive including when an incident will be "significant" and the technical requirements of the Article 23(3) risk management measures.  Relevant entities under the IR will include cloud computing service providers, managed service providers, providers of online marketplaces, online search engines and social network platforms.  The consultation closes on 25 July 2024 and the Commission hopes to adopt the IR by the end of Q3 2024.

High Court ruling on data protection versus defamation claim

On 3 July 2024, the High Court ruled in Pacini and another v Dow Jones & Company Inc. [2024] EWHC 1709 (KB). The court rejected an application to strike out a claim for breach of data protection law brought by the two claimants – former senior executives of the XIO group.  The claim related to two articles published in 2017 and 2018 and the right to be forgotten.  Dow Jones sought to have the claim struck out, arguing that it was purely tactical and an abuse of process because it was in reality a statute-barred defamation claim, the nub of which concerned the claimants' reputation, or that it was an abuse in the sense of the Jameel v Dow Jones & Company 2005 case. 

The court ruled against Dow Jones saying that the claimants' evidence suggested the nub of the claim was to exercise the right to be forgotten.  This seemed arguable and not plainly improper and either way, the Dow Jones argument for abuse would require a full trial.  The Judge said it would be wrong to stigmatise a claim for damages for reputational harm caused by processing inaccurate data in a data protection claim as an abuse of process.  The issue was not suitable for determination on summary application and probably required an appeal court to assess it given it is currently an unsettled issue.  He also said it would be wrong to strike the claim out summarily on Jameel grounds as it could not be said that the claim had little prospect of success based on the evidence.

The case therefore continues.

News as at 4 July 2024

Preliminary findings that Meta's Pay or Consent model breaches DMA

On 1 July 2024, the European Commission informed Meta that its preliminary findings were that Meta's 'pay or consent' advertising model breaches the Digital Markets Act.  Under Article 5(2) of the Digital Markets Act, gatekeepers must seek user consent to combine their personal data between designated core platform services and other services.  If a user refuses consent they should be offered access to a less personalised but equivalent alternative service.  Gatekeepers cannot make the provision of certain services or functionalities conditional on user consent.

The EC provisionally finds that Meta's 'pay or consent' advertising model breaches the DMA because:

• It does not allow users to opt for a service that uses less of their personal data but is otherwise equivalent to the service which offers personalised ads
• It does not allow users to exercise their right to give their consent freely to the combining of their personal data across services.

Meta which contends its model complies with EU law including ECJ case law, can reply to the Commission's preliminary findings.   If the Commission does not change its preliminary views, it will adopt a non-compliance decision and can impose fines of up to 10% of annual global turnover, rising to 20% for repeated non-compliance.

The 'pay or consent' model has also been under the scrutiny of European Data Protection Regulators, with the EDPB issuing an opinion in April which also emphasised the importance of providing a genuinely equivalent free alternative to a service, rather than offering a binary choice between a paid for ad free service and a free service supplied conditionally on user consent to behavioural advertising.

ICO reportedly expecting a new data protection Bill early into the next parliament

MLex has reported that the ICO expects a new data protection bill to come "at an early stage of the next parliament" and that he expressed disappointment that the DPDI Bill failed to make it to enactment. This ties in with suggestions from other sources that a Labour government would put forward some sort of digital information bill (a rumoured Digital Bill of Rights), although it may be less focused on GDPR reform than the DPDI Bill was.

Joint EDPS and AEPD report on processing neurodata

The European Data Protection Supervisor and the Spanish DPA, the AEPD, published a joint report on neurodata on 3 June 2024.  Neurotechnology monitors human brain activity, for example, it can be used to monitor response to ads and to predict behaviour based on previous ads.  Combined with AI, neurodata could conceivably be used for law enforcement and screening as well as surveillance.  As such, certain uses will be prohibited under the EU's AI Act.  The report outlines different uses of neurotechnology and looks at the types of neurodata they may process and their applications.  It goes on to look at challenges when processing such data, including threats to the rights and freedoms of individuals and data protection compliance.

ESRB recommendation on cyber incident coordination framework

On 27 June 2024, the European Systemic Risk Board published a compliance report on its recommendation on the establishment of a pan-European systemic cyber incident coordination reporting framework (EU SCICF).  Its recommendation was published in January 2022 for issues that EU authorities should consider in preparation for DORA and requirements around points of contact.  The report found there has been good progress but reminded relevant authorities that the EU-SCIF must be ready to be fully operational by the end of 2024.

Council of EU Recommendation on critical infrastructure security

On 25 June 2024, the Council of the EU adopted a Recommendation on a Blueprint for protecting EU citizens and the internal market, essentially to coordinate a response at EU level to disruptions to critical infrastructure with significant cross-border relevance.  The focus is on sharing experience and information about an incident to help coordinate public communications and an effective response.  Testing of the Blueprint at national, regional and EU level is recommended with a test exercise at EU level to take place within 18 months.

ICO public sector approach

The ICO launched a two year trial of its approach to public sector organisations in June 2022.  The trial has now ended and the ICO will review its approach before making a final decision on it in the autumn.  In the meantime, the current approach will apply.

News as at 26 June 2024

ePrivacy Regulation likely to be withdrawn

After years of stalemate, there are media reports that the next European Commission will withdraw the ePrivacy Regulation.  The expectation is that it will be replaced, potentially by three separate pieces of legislation covering:

• Data retention – to cover law enforcement access to electronic communications data
• Digital fairness – to cover cookies, influencer marketing, dark patterns and contract cancellation
• Digital advertising – to improve transparency in the digital advertising industry and power imbalances between big tech and other players.

Progress on Platform Work Directive

On 25 April 2024, the European Parliament passed the Platform Work Directive, introducing new rules on algorithmic management and data protection measures for workers. The Directive prohibits digital platforms from processing data on workers' emotional or psychological state, or data that could infer sensitive information such as racial or ethnic origin, political or religious beliefs, migration status, health, or trade union activity. Biometric data processing is allowed only for authentication, and platforms cannot collect personal data when the person is not performing platform work. The new rules ensure that workers cannot be fired or dismissed based on algorithmic or automated decisions, requiring human oversight for important decisions affecting platform workers. The Directive will now be adopted by the Council and then signed and published in the Official Journal coming into force 20 days later.  Member States will have two years from entry into force to transpose the Directive.

Final version of EDPB Law Enforcement Directive Guidelines published

The EDPB has published the final version of its Guidelines on Article 37 of the Law Enforcement Directive which relates to data transfers.  The EDPB says the recipient country or organisation must have an essentially equivalent level of data protection as the EU but the requirement relates to the specific data transfer or category of transfers so essential equivalence must be guaranteed for the particular case rather than the overall legislative position in the recipient country. The guidelines also detail the importance of legally binding instruments for data transfers, the requirements under the legal framework, and the role of DPAs in monitoring data transfers.

Data from Synnovis ransomware attack published online

On 21 June, health data stolen during the 3 June ransomware attack on Synnovis was reportedly published online.  The NCSC said it was investigating whether or not the published data was in fact data extracted from Synnovis and both it and NHS England have provided online support tools.

Norwegian data protection board holds daily penalty for Meta unlawful

Norway's Personal Data Protection Board has held the Norwegian DPA does not have the authority to impose a daily penalty on Meta Ireland for failing to comply in Norway with the ban on behavioural advertising on the basis of legitimate interest or contractual necessity.  The DPA erred in imposing this type of penalty (of up to 1m NOK per day) which it can only do in domestic cases, not in cross-border ones.  The behavioural advertising ban was, however, upheld in a separate decision.

News as at 19 June 2024

Would a Labour government bring back the DPDI Bill?

All polls currently suggest the Labour Party will win the general election (other parties are available). The Labour Party manifesto was published on 13 June 2024. In terms of data, Labour commits to creating a National Data Library to provide access to public data sets and remove planning barriers for data centres and to supporting creation of conditions to facilitate open banking. While the Labour manifesto does not mention the Data Protection and Digital Information Bill, some of its proposals suggest that it may introduce at least parts of the Bill if not those which deal with reform of personal data protection law, however, the prevailing view is that it will not reform the EU GDPR or those parts of the DPA 18 dealing with personal data.

Arguably the most detailed proposals on data come from the Liberal Democrats – the party most likely to be involved in any coalition situation. Among the proposals in their manifesto, the Lib Dems say they would:

• end bulk collection of communications data and internet connection records
• introduce a legally binding regulatory framework for all forms of biometric surveillance
• ensure use of personal data and AI is unbiased, transparent and accurate and respects the privacy of "innocent" people
• require all products to provide a "short, clear version of their terms and conditions, setting out the key facts as they relate to individuals' data and privacy"
• introduce a Digital Bill of Rights to protect everyone's rights online including the rights to privacy, free expression, and participation without being subject to harassment and abuse.

Meta to pause AI training plans

Following "intensive engagement" with Meta, the Irish DPC welcomed Meta's decision (in response to its request) to pause its plans to train its large language model using public content shared by adults on its Facebook and Instagram platforms across the EU/EEA. In a blogpost, Meta expressed disappointment and its belief that the changes made to its privacy policy to allow it to use the data do comply with EU data protection law. The Irish DPC acted following a number of complaints made to EU regulators by NOYB. Meta has also extended this pause to the UK at the request of the ICO.

CNIL consults on AI issues and produces 'principles' sheets on open data

On 10 June 2024, the CNIL began consulting on the development of AI systems and on how the EU GDPR applies to AI models. Feedback is sought on seven policies relating to the development of AI with the focus including open-source models, web scraping, lawful basis (particularly legitimate interest), data subject rights and security. The consultation closes on 1 September 2024 and the eventual policies will join the information sheets published in April 2024.

The CNIL also published 'principles' sheets on Open Data on 12 June to ensure permitted use of publicly available data complies with data protection law.

NOYB turns its attention to Chrome

On 13 June 2024, NOYB lodged a complaint with the Austrian DPA alleging that Google is not being transparent about the fact that it continues to track Chrome browser users after they have turned on the 'ad privacy' feature. The privacy feature is founded on Google's browser-based privacy sandbox in a move away from third party cookies. NOYB says Google should still get user consent to this and that it does not provide enough information to allow users to provide informed consent.

EU Council agrees negotiating position on GDPR enforcement harmonisation Regulation

The EU Council has agreed its negotiating position on the draft Regulation on rules to harmonise cross-border enforcement of the EU GDPR. This focuses on enhanced cooperation between EU data protection regulators and a revised complaints handing procedure. Trilogues can now begin.

ICO publishes Enterprise Data Strategy

On 13 June 2024, the ICO published the final version of its Enterprise Data Strategy following a public consultation. Part of the ICO's ICO25 strategic plan, the Strategy sets out how the ICO plans to use its data assets and exemplify responsible data use by adhering to the principles of:

• democratising data access
• dignifying data use
• disciplined data management, and
• daring innovation with data. 

UK's ICO and Canada's OPC to investigate 23andMe data breach

On 10 June 2024, the UK and Canadian data protection regulators announced they would investigate the 23andMe data breach which last year saw a threat actor compromise over six million profiles in a credential stuffing attack. The ICO and Office of the Privacy Commissioner of Canada (OPC) will focus on the scope of information exposed and likely harms, whether or not 23andMe had appropriate safeguards in place and whether it provided adequate notification of the breach to those affected and to relevant regulators.

High Court considers 'rights of others' exemption

The High Court held in Harrison v Cameron and another that a controller may rely on the 'rights of others' exemption under the DPA 18 and Article 15 UK GDPR and refuse to disclose identities of individuals in response to a SAR where doing so could reasonably be expected to create a significant risk that the individuals would face intimidation and threats from the maker of the SAR. A number of other issues were also considered including the scope of the personal/household exemption under Article 2(2)(a) of the UK GDPR.

News as at 12 June 2024

NOYB complains to DPAs about Meta's plans to train its AI with user data

On 6 June 2024, NOYB filed complaints with eleven European DPAs about Meta's planned changes to its privacy policy and is intending to add to those. Meta is proposing to start processing EU and UK user data on its platforms to train generative AI models. This will include posts and photos dating as far back as 2007 but will exclude private messages or messages with businesses. The data will be processed on the basis of Meta's legitimate interests although users will be able to opt out.

NOYB argues that the GDPR requires Meta to obtain user consent rather than providing an opt-out and says that the opt-out form is difficult to find and is misleading. The changes are set to take effect on 26 June 2024. NOYB is requesting a decision under the Article 66 urgency procedure particularly because it argues there is no option to opt out at a later point once the policy is in effect.

The Hamburg and Danish DPAs have reportedly already expressed concerns, however, the UK ICO's Executive Director for regulatory risk has reportedly said that it is up to users to "exercise their rights where they wish to do so", adding that AI developers must be transparent about their use of personal data.

LinkedIn to stop targeting EU users on basis of sensitive data

LinkedIn has said it will stop targeting ads at EU users based on sensitive data following a complaint that doing so was in breach of the Digital Services Act. The DSA prohibits targeting online adverts based on profiling using special categories of personal data. The complaint, made in February 2024, led to the European Commission sending LinkedIn a formal request for information in March of this year.

ENISA and ESAs enter into MOU

ENISA and the European Securities and Markets Authority, the European Insurance and Operational Pensions Authority and the European Banking Authority, published a multilateral memorandum of understanding on 4 June 2024. This covers cooperation and information exchange relating to DORA, NIS2 and other areas of common interest. In particular, common incident reporting and developing common technical standards will be prioritised.

ICO looking at Microsoft's Copilot+ Recall feature

On 7 June 2024, Microsoft announced it was making changes to its AI-powered 'Recall' feature for new laptop Copilot+ following privacy concerns. The Recall feature is billed by Microsoft as like giving the computer a photographic memory, allowing it to recall anything which has ever appeared on screen by taking regular screenshots and making those searchable. Microsoft is now giving people a clearer choice to opt in and is turning the system off by default. Strong authentication and 'proof of presence' will be required for users wanting to view their timelines and saved activity. The UK's ICO has been making enquiries with Microsoft about the system.

NHS disrupted by cyber attack

The NHS suffered a ransomware attack last week, believed to have been carried out by the Russian Quilin criminal gang. The attack affected the IT system of Synnovis which analyses blood tests on behalf of the NHS. A number of non-urgent operations were cancelled and appeals for blood donors were issued. It has been reported that the attack could disrupt the NHS for months if Synnovis is unable to regain access to is systems and the records they contain.

NOYB files complaints against Microsoft

NOYB filed complaints with the Austrian Data Protection Authority on 4 June 2024 in which it alleges Microsoft 365 Education unlawfully tracks children regardless of their age.  NOYB alleges that while schools have no control over the systems and the way they process personal data, the Microsoft terms of service state that the schools using the software are the data controllers.  NOYB also says there is a lack of transparency and, more seriously, that cookies analyse user behaviour, collect browser data and are used to deliver advertising without an appropriate lawful basis. NOYB is asking the Austrian DPA to investigate.

News as at 6 June 2024

Garante guidance on preventing AI web scraping

On 30 May, the Italian DPA, the Garante, announced guidance to help data controllers prevent online data being scraped to train AI. The guidance includes recommendations of concrete measures which can be adopted to protect data from indiscriminate scraping including creating reserved areas which require registration, anti-scraping clauses in terms of service, page traffic monitoring to identify abnormal data flows, and technical solutions to repel bots.

EDPB statement on financial data access (FIDA) and payments package

On 27 May 2024, the EDPB published a statement on the financial data access and payments package. The package consists of three proposals aimed at improving consumer protection and competition in electronic payments and providing for consumers to elect to share their data in order to get access to a wider and cheaper range of financial products and services.

The EDPB makes various suggestions on how to align the proposals with EDPB Guidelines, in particular those covering the Second Payment Services Directive, and Opinions on the proposals. The EPDB points out areas where the European Parliament did not follow its recommendations and urges that they be adopted.

Ticketmaster and Santander confirm massive ransomware attacks

Live Nation has confirmed the theft of data belonging to 560m customers worldwide. Responsibility has been claimed by ShinyHunters which is demanding £400,000 for the return of the data comprising names, addresses, contact numbers and incomplete credit card details. The group also claimed responsibility for a cyber attack on Santander Bank in which they claim to have stolen the data of 30m customers including 6m account numbers and balances, and 28m credit card numbers as well as staff data. It has reportedly asked for £1.6m to release the data.

Separately, the BBC suffered a data breach which exposed the details of more than 25,000 members of its occupational pension schemes although the BBC says it has no evidence of a ransomware attack.

EDPS guidelines on generative AI for EU institutions

The European Data Protection Supervisor published guidelines on 3 June 2024 to help EU institutions, bodies, offices and agencies comply with the GDPR when using generative AI. The guidelines run through the data protection principles and provide practical examples to anticipate risks, challenges and opportunities. There is also a focus on when to carry out DPIAs and how to conduct them.

News as at 29 May 2024

Is the UK poised to consult on new ransomware reporting requirements? 

Reports last week suggested that the UK government would consult on new proposals around ransomware reporting.  These would propose banning ransom payments by critical national infrastructure, and require others to report ransomware attacks and obtain permission before paying cyber attackers.  With the announcement of the general election, however, it's unclear whether or not the consultation will happen and in what form.

18 Member States not in compliance with the DGA 

On 23 May 2024, the European Commission opened infringement proceedings against 18 Member States requiring them to implement the Data Governance Act within two months.  Non-compliance issues relate mainly to failure to designate responsible authorities or demonstrate that these are empowered to perform tasks allocated under the DGA.

EDPB Opinion on biometrics at airports 

The EDPB adopted an Opinion on the use of live facial recognition technology at airports on 23 May 2024.  The Opinion looks at this type of processing in the context of the storage limitation principle, the integrity and confidentiality principle, data protection by design and default, and security of processing.  The EDPB notes that there is no uniform requirement across the EU Member States for airport operators and airlines to verify that the name on a passenger's boarding pass matches the one in their identity document.  Where no such verification is required, no such verification using biometrics should occur as this would result in excessive processing.

Where biometrics are used, only the data of passengers who actively enrol and consent to participate should be processed.  The EDPB found that the only storage solution which would be compatible with the principles it considered are those that are stored in the hands of an individual or in a central database with the encryption key solely in their hands.  Such storage solutions must also be implemented with a list of minimum recommended safety measures.

EDPB preliminary report from ChatGPT taskforce 

The EDPB's ChatGPT taskforce set up to promote cooperation between DPAs investigating ChatGPT's data protection compliance, published an interim report on its work to date on 24 May 2024.  The investigation is ongoing so the findings are not conclusive, however, the workforce considers the application of GDPR provisions around lawfulness, fairness, transparency and accuracy including the ability of individuals to exercise their GDPR rights.  The taskforce also developed a common questionnaire for DPAs to use with ChatGPT.

The EDPB also announced plans to develop guidelines on generative AI which will focus initially on data scraping in the context of AI training data.

Council of Europe adopts AI Act 

The Council of Europe adopted the AI Act on 21 May 2024.  It now goes through the formal signature process after which it can be published in the Official Journal.  This is expected to happen shortly.  The press release linked to a version of the Act which is presumed to be near final.

Is the DPDI Bill dead? 

The Data Protection and Digital Information Bill was not put on the 'wash up' list for legislation nearing enactment which is being rushed through before Parliament is dissolved for the 2024 General Election.  While in its later stages, the Bill still had to go through amendments in the Lords and was probably either too controversial or too far from enactment to make the cut.  With polls predicting a Labour victory, its future is uncertain.  It is possible that the Labour manifesto will shed more light once it is published but many expect that it will not survive in its current form if at all.

PSNI to be fined £750k for data breach 

The ICO intends to fine the Police Service of Northern Ireland £750k after personal information of its entire workforce was exposed.  The ICO said that "the sensitivities in Northern Ireland and the unprecedented nature of this breach created a perfect storm of risk and harm".  The ICO said that simple and practical to implement policies and procedures could have ensured the incident would not have happened.

Automated Vehicles Act receives Royal Assent 

The Automated Vehicles Act received Royal Assent on 20 May 2024.  Among other things, it introduces detailed technical and cyber security requirements.  It also:

• Sets a safety threshold for self-driving vehicles before they are allowed onto the roads.

• Makes companies liable for their self-driving vehicles on the road and protects users from being held unfairly accountable.

• Prohibits misleading market practices including using ambiguous terminology in marketing materials about the extent to which vehicles are self-driving.

• Introduces new criminal offences in relation to certain types of non-compliance.

Almost the entire Act is to be brought in under secondary legislation.

News as at 23 May 2024

ICO and FCA insights into consumer attitudes to digital assets

Under the banner of the Digital Regulation Cooperation Forum, the ICO and FCA published a joint paper on 14 May 2024, looking at consumer attitudes towards digital assets and how consumers interact with them. The report is intended to inform the regulatory approach from a financial and data protection perspective. Transparency and trust are highlighted as key to consumer take up. The need to ensure that risks associated with the technology underpinning digital assets are addressed to protect consumers is also emphasised.

ICO launches fourth consultation on generative AI

The ICO launched a fourth call for evidence on generative AI on 15 May 2024. This chapter focuses on data subject rights. It explains relevant rights and their application in the context of the training and use of generative AI. The ICO suggests a series of recommendations to ensure organisations developing and using generative AI keep users informed about their rights, enable their exercise, provide information about use of personal data, and clearly justify any exemptions. The consultation closes on 5 June 2024.

DPDI report stage to begin on 10 June

The House of Lords is expected to open the report stage of the Data Protection and Digital Information Bill on 10 June 2024. Any approved amendments will then go forward to the Bill's third reading in the Lords before returning to the Commons for consideration. These are the final stages of the Bill which the government will be keen to enact before calling a general election.

Government call for views on codes of practice for AI and software vendor cyber security

The UK government launched two calls for views on voluntary codes of practice for AI cyber security and cyber security issues for software vendors on 16 May 2024. 

AI cyber security

The call for views focuses on the introduction of a voluntary code of practice on AI cyber security.  It sets out specific interventions to help secure AI and hopes to contribute to developing a global standard.  The intention is to set out baseline security requirements together with risk mitigation actions in twelve key principles.  These are designed to cover the entire AI lifecycle across the supply chain.  The call is published alongside a number of research reports and is part of the government's National Cyber Strategy.

Software vendors

This proposed code of practice sets out fundamental security and resilience measures to be reasonably expected of B2B software developers and vendors. The draft code sets out 21 provisions under four overarching principles. The government also intends to publish technical controls and implementation guidance to set out minimum actions software vendors need to demonstrate they have taken to establish confidence in the resilience of their product or service. Organisations procuring software should be able to refer to the code and supporting materials to inform their understanding of risks associated with the software and to request any additional measures.

Extension of derogation from ePrivacy Directive published in Official Journal

The Regulation amending the Interim Regulation which applies a derogation to the ePrivacy Directive for the purpose of combatting online child sexual abuse was published in the Official Journal on 14 May 2025. The new Regulation extends the derogation period to 3 April 2026 pending the agreement of the currently draft CSEA Regulation.

News as at 15 May 2024

ICO calls on organisations to do more to prevent cyber attacks

On 10 May 2024, the ICO called on organisations to do more to boost cyber security and protect the personal data they hold in the context of a growing threat of cyber attacks. The call comes with publication of a new report analysing trends in cyber security breaches during 2023.  Finance, retail and education were the sectors reporting the most incidents. The report focuses on five leading causes of breaches:

• phishing
• brute force attacks
• denial of service
• errors
• supply chain attacks.

It also briefly covers malware and ransomware.

Ofcom consultation on protecting children from harmful content

Ofcom has published its second major consultation on the Online Safety Act (OSA) focusing on protecting children from harms online. Under the OSA, user-to-user and search services likely to be accessed by children have safety duties relating to content that is harmful to them. 

The consultation covers:

• how to assess whether a service is likely to be accessed by children
• the causes and impacts of harms to children
• how services should assess and mitigate the risks of harm to children.

In another lengthy set of documents, Ofcom provides a summary of its consultation together with documents including:

• proposed Codes at a glance
• guidance on completing children's access and risk assessments (including risk profiles)
• draft Children's Safety Codes
• large services guidance.

Read more.

For many businesses, compliance will engage data protection issues and last week (as reported here) Ofcom and the ICO set out their vision for collaboration on areas of overlap.

German DPAs publish guidance on AI and data protection compliance

The German joint body of federal Data Protection Authorities (DSK) published joint guidance on AI and data protection on 6 May 2024. The guidance focuses primarily on large language models and how organisations can deploy them in a data protection compliant manner, but the DSK says the guidance is relevant to other AI applications and for developers as well as deployers. The guidance covers selection and planning, implementation and active use. Unsurprisingly, it focuses on key data protection issues including transparency, lawful basis, data minimisation, use of special data, data protection by design and default, and governance.

News as at 8 May 2024

ICO and Ofcom set out statement on collaboration

Under the banner of the Digital Regulatory Cooperation Forum (DRCF), Ofcom and the ICO published a Joint Statement on Collaboration on the Regulation of Online Services on 1 May 2024. This sets out:

• Collaboration themes - areas where the regulators will work together
• Companies of mutual interest - how they will identify when they are looking at the same issues or services
• New ways of working - information sharing and collaboration.

Collaboration themes highlighted in this statement will be particularly important to businesses that have safety duties under the OSA involving the processing of (children's) personal data, and whose services are also caught under the ICO's Children's Code. They will initially cover:

• age assurance
• recommender systems
• proactive tech and relevant AI tools
• default settings and geolocation settings for child users
• online safety privacy duties
• upholding terms, policies and community standards.

It's also worth noting that Ofcom published its consultation on protecting children from harmful content online on 8 May (read more). This places a heavy emphasis on age assurance and recommender systems so it's unsurprising that these will be areas of joint focus.

Dutch DPA guidance on web scraping

The Dutch Data Protection Authority published guidance explaining why scraping personal data breaches the GDPR on 1 May 2024. The DPA say scraping is almost always illegal and can only be lawful if it is carried out in a highly targeted manner. The DPA highlights that the fact that data is publicly available on the internet does not mean consent has necessarily been given to scrape it. There are instances in which legitimate interests might be available as a lawful basis but the standard will be difficult to meet. The DPA suggests scraping may be permitted for domestic use and where an organisation scrapes news and media sites to gain insight into news about itself.

ICO publishes strategic approach to regulating AI

In response to a request from the Department for Science, Innovation and Technology, the ICO published its strategic approach to regulating AI at the end of April 2024. This covers the opportunities and risks of AI, the role of data protection law, the ICO's work on AI to date and its plans for further work. This centres on guidance, advice, support and enforcement action as well as on collaboration with other relevant regulators.

PSTIA draft amendment Regulations laid before Parliament

The draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) (Amendment) Regulations 2024 have been laid before Parliament. They will amend the PSTIA Regulations 2023 to correct an error in Schedule 1 to clarify that when a manufacturer of a relevant connectable product extends the minimum length of time for which security updates must be supplied, this must be published as soon as practicable. In addition, the Amendment Regulations will introduce new Schedule 3 exemptions to being classed as relevant connectable products for motor vehicles, two and three wheel vehicles, and agriculture and forestry vehicles, all of which are covered in separate legislation.

Council of EU adopts Japan data transfer framework

On 29 April 2024, the Council of the European Union adopted a protocol to allow for free data flows between the EU and Japan. Japan already has an EU adequacy decision in relation to personal data. The protocol is intended to prevent data localisation and to provide a more predictable legal framework which allows businesses to handle data efficiently.

eID Regulation published in Official Journal

The Regulation to amend the eIDAS Regulation as regards establishing the European Digital Identity Framework (eID Regulation) was published in the Official Journal on 30 April 2024. It establishes a new digital identity framework for EU citizens and a European Digital Identity Wallet. Read more.

Garante satisfied with changes made to ChatGPT

The Italian DPA, the Garante, lifted its ban on ChatGPT, satisfied that it had made sufficient progress on GDPR compliance issues. These include OpenAI committing to provide greater visibility of its privacy policy and user content opt-out forms, and to provide a new opt-out form for EU citizens to allow them to opt-out of OpenAI using their personal data to train ChatGPT.

EU Council adopts Regulation to extend derogation from ePrivacy Directive

On 29 April, the EU Council adopted the Regulation amending the Interim Regulation which applies a derogation to the ePrivacy Directive for the purpose of combatting online child sexual abuse. The new Regulation will extend the derogation period to 3 April 2026 pending the agreement of the currently draft CSEA Regulation, and will now be published in the Official Journal.

Short-term rental Regulation published in Official Journal  

The Short-term rental Regulation was published in the Official Journal on 29 April 2024. It sets out rules for data collection by competent authorities and providers of short-term online rental platforms and for sharing that data. It applies to short-term rental platforms which allow hosts to provide short-term rentals in the EU and to hosts providing those services. The Regulation will apply from 20 May 2026.

AG Opinion on health data

Advocate General Szpunar has opined in a reference from Germany. As part of the referred issues, the AG was asked whether data relating to the online purchase of non-prescription medicine constituted health data for the purposes of GDPR. The AG advised it does not qualify as special data as the purchase does not allow the inference of sufficiently certain conclusions about the health status of the purchaser because these sorts of medication are for general use and are often purchased proactively or for preventative purposes and may be taken by someone other than the purchaser.

News as at 1 May 2024

Upper Tribunal dismisses ICO's Experian appeal

The Upper Tribunal Administrative Appeals Chamber dismissed the ICO's appeal against a First Tier Tribunal decision to overturn an order it made against credit broker Experian. The order related to Experian's marketing services business and required Experian to make changes to its data processing practices in particular in relation to lawful basis and transparency.  On appeal by Experian, the First Tier Tribunal largely struck out the ICO's enforcement notice.  The ICO appealed the decision but the Upper Tribunal concluded on 23 April, that while there were minor flaws in some of the First Tier Tribunal's decision, they did not raise legal issues. It therefore upheld the decision. The ICO has said it will consider its next steps including whether or not to appeal.

IAB Europe responds to EDPB 'pay or consent' Opinion

On 23 April 2024, IAB Europe published a response to the EDPB's Opinion on pay or consent models for large online platforms. IAB Europe argues that the EDPB has mischaracterised both the 'consent or pay model' and personalised advertising and risks creating legal uncertainty for many businesses beyond large online platforms. The EDPB is accused of making overly abstract assumptions and failing to substantiate them. IAB Europe also suggests the EDPB has failed to balance individual rights with the freedom to conduct business and that it is attempting to require businesses to provide products and services at a loss or interfere with their chosen business models. 

AG Opinion on use of public statement for targeted ads

On 26 April 2024, AG Rantos published an Opinion on a referral from Austria in a case brought by Max Schrems. Schrems complained that personal data relating to his sexual orientation had been processed unlawfully by Meta to send him advertising targeted at homosexuals. He argued this was done without his consent or under any other lawful basis. Schrems claimed the advertisements were not based directly on his sexual orientation but on an analysis of his particular interests. He brought an action in the Austrian courts and subsequently referred publicly to his homosexuality during a panel discussion but did not publish this information on Facebook.

The Austrian Supreme Court asked the ECJ whether:

• a network such as Facebook may analyse and process all the personal data available to it without restriction as to time for the purposes of targeted advertising, and
• whether a statement made by a person about their sexual orientation as part of a panel discussion permits the processing of other data concerning that topic for the purposes of offering them targeted advertising.

The AG said the ECJ should rule that:

• The GDPR precludes the processing of personal data for the purposes of targeted advertising without restriction as to time. The national court must assess whether the data is processed legitimately for targeted advertising, taking into account principles of proportionality, the data retention period and the amount of data processed with regard to the legitimate aim of processing for personalised advertising.
• The fact that Mr Schrems made a statement concerning his own sexual orientation during a public panel discussion may constitute an act by which he "manifestly made public" the information, thereby negating the prohibition on processing special data, but making the data public does not in itself permit its processing for the purposes of personalised advertising.

European Parliament approves EHDS and Cyber package

On 24 April, the European Parliament approved:

• The creation of a European Health Data Space. The provisional agreement must now be formally approved by the Council, after which it will be published in the Official Journal, applying two years later, subject to certain exceptions which will apply between four and six years later.
• The Cyber Solidarity Act which aims to build a more resilient, collective EU response against cyber threats.  The EP needs to confirm the final text which will then be formally adopted by the Council and published in the Official Journal.  This is not expected to take place until after the EP elections.
• A Regulation amending the Cybersecurity Act to enable the adoption of an EU certification scheme for managed security services – outsourced services that support an organisation's cyber security risk management. The EP needs to confirm the final text which will then be formally adopted by the Council and published in the Official Journal.  This is not expected to take place until after the EP elections.

NOYB files complaint against OpenAI

Data privacy campaign group NOYB has filed a complaint with the Austrian DPA asking it to investigate OpenAI's data processing and the measures it takes to ensure accuracy of personal data processed in the context of its large language models.  NOYB also asks the regulator to require OpenAI to comply with a subject access request made by Max Schrems.  The background to the complaint is the fact that ChatGPT gave an incorrect date when asked the date of Mr Schrems's birthday – known as a 'hallucination'.  NOYB alleges that this breaches accuracy principles and that there is no way for OpenAI to give effect to rectification and deletion requests.  There are also transparency issues as ChatGPT does not always make sources clear.  NOYB argues that it is able to bring the complaint in Austria as OpenAI's EU headquarters in Ireland does not control the data processing of ChatGPT and therefore the one stop shop does not apply.

UK's CAT rejects Meta's permission to appeal against CPO

The UK Competition Appeals Tribunal has rejected Meta's application for permission to appeal against a collective proceedings order brought by Dr Liza Lovdahl Gormsen.  The opt-out CPO was certified in February 2024.  It alleges that Meta abused its dominant position by combining personal data collected outside the Facebook Platform with data collected from Facebook to target advertising and generate additional revenue.  Moreover, users had no option but to accept this.  The CAT's ruling allows the COP to proceed.

DBT Smart Data Roadmap

The Department for Business and Trade published a Smart Data Roadmap  on 18 April 2024, setting out the government's plans in 2024-25 for using powers under the DPDI Bill to identify opportunities and challenges in implementing Smart Data schemes in seven sectors. The plan sets out priority sectors of banking, finance, energy and road fuels, telecommunications and transport, with retail and home buying identified as areas of further interest.  Unsurprisingly, an initial priority is to complete the DPDI Bill itself.  A further report is anticipated in a year's time although this will be after the General Election.

EDPB Annual Report 2023

On 23 April 2024, the EDPB published its Annual Report for 2023 looking back at the work it did last year which includes producing guidelines and Article 65 decisions, the Article 66(2) Meta decision and enforcement co-operation, as well as its legislative consultation activities.

PSTIA regime now in effect

The UK's connectable products regime is now in effect as the Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 came into force on 29 April 2024. The government also updated its PSTIA Regs guidance to include additional guidance on the Statement of Compliance and automotive vehicles

ASA publishes a guide to privacy rules

The ASA published a guide to privacy rules on 25 April 2024.  This focuses on CAP Code rules for featuring an individual (whether a public person or a private individual) and private property in ads.  It also makes reference to Section 10 of the CAP Code which deals with personal data issues.

News as at 24 April 2024

EDPB casts doubt on 'pay or OK' model for large online platforms

The EDPB published its long-awaited Opinion on valid consent in the context of pay models implemented by large online platforms (LOPs) on 17 April 2024. The EDPB was asked to consider the 'pay or OK' model for behavioural advertising in the EU by the Dutch, Norwegian and Hamburg DPAs, particularly as used by LOPs, most notably Meta.

The EDPB has concluded that "in most cases it will not be possible for [LOPs] to comply with the requirements for valid consent, if they confront users only with a choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee". The EDPB suggests that LOPs should not be offering a binary choice to consent to advertising or to pay for an ad-free service.  Instead they should consider providing an equivalent alternative such as a free service with non-behavioural advertising, ie advertising which uses less personal data than behavioural advertising or none at all.

The reasoning behind this is the need for consent to be freely given.  The EDPB stresses that consent cannot be freely given if users suffer detriment by not giving it or by withdrawing it. Detriment can include exclusion from major online services if data subjects choose neither to pay a fee nor to consent to use of their personal data and where an equivalent alternative is not offered. A genuine equivalent is likely to be available where:

• the only difference between offerings is that one uses personal data for behavioural advertising and the other does not (ie payment is not also a differentiating factor)
• the processing operations that are unnecessary for the provision of the service and usually depend on consent are omitted.

The EDPB says personal data is not a tradeable commodity and that LOPs must prevent the fundamental right to data protection being something users have to pay to have.

The EDPB underlines that when assessing whether or not consent has been freely given, conditionality, detriment, imbalance of powers and granularity should be taken into account.  A fee cannot compel users to consent so controllers should assess on a case-by-case basis whether a fee is appropriate at all and at what amount the fee should be set in the circumstances.  LOPs should also consider whether the data subject is likely to suffer detriment if they do not consent.  Similarly, they should evaluate whether there is an imbalance of power between the controller and the individual – this should cover factors including the position of the LOP in the market, the extent to which an individual relies on the service, and its main audience.  The EDPB is also concerned about transparency issues around behavioural advertising and warns LOPs that GDPR compliance goes further than complying with lawful basis requirements.

The Opinion includes elements to help assess consent against the GDPR standard in relation to 'pay or OK' but the EDPB also plans to develop guidelines on 'pay or OK' with broader scope.

Prior to the EDPB publishing its Opinion, IAB Europe issued a letter it had sent to the EDPB arguing that 'pay or OK' does not equate to making individuals pay for data protection rights.  NOYB has welcomed the Opinion but stresses it only addresses LOPs.

Read more.

European Parliament Committee adopts FIDA report

The European Parliament's Economic and Monetary Affairs Committee adopted its report on the proposed financial data space (FIDA).  The Committee proposes a number of amendments to the Commission's draft including:

• expansion of data excluded from the data space to include data related to sickness and health cover, confidential business data and confidential know-how
• prevention of DMA gatekeepers being financial information service providers
• data holders and data users to be able to use existing market standards and technical infrastructures when developing common standards for mandatory data access
• data holders to be able to request reasonable compensation from data users for costs incurred to provide access
• a requirement on the European Banking Authority to establish a register of authorised financial information service providers and financial data access schemes
• an extended transition period for SMEs of up to a year to apply the new rules.

EDPB 2024-27 Strategy published

The EDPB published its Strategy 2024-2027 on 18 April 2024.  It set out priorities grouped around four pillars with key actions per pillar:

• Pillar 1 – enhancing harmonisation and promoting compliance: includes developing guidance and tools and developing and implementing compliance measures like certification and codes of conduct
• Pillar 2 – reinforcing a common enforcement culture and effective cooperation: enforcement cooperation remains a priority
• Pillar 3 – safeguarding data protection in the developing digital and cross-regulatory landscape: the EDPB will develop guidance on the interplay of data protection law and related EU law including the AI Act, the DMA and the DSA
• Pillar 4 – contributing to the global dialogue on data protection: the EDPB will continue to cooperate with its non-EU counterparts, and to work on transfer mechanisms and related tools.

EDPB clarifies implementation of EU-US DPF redress mechanisms

The EDPB adopted Rules of Procedure, a public information note and template complaint forms to facilitate the implementation of the redress mechanisms under the EU-US Data Privacy Framework (DPF).  The documents relate to two redress mechanisms to handle complaints by EU individuals relating to national security or commercial purposes and in relation to data transferred after 10 July 2023.

AI Act corrigendum published

The European Parliament published the 'corrigendum' of the AI Act on 16 April 2024.  This corrects errors and clarifies language.  The text is unlikely to change further in any significant way although it was subject to review by Parliamentary committees at the end of last week.

News as at 17 April 2024

ICO guidance to improve transparency in health and social care

On 15 April 2024, the ICO published guidance to improve transparency in health and social care.  This is the final version of the guidance following a consultation earlier this year. The guidance covers:

• what constitutes transparency and its importance in relation to health and social care
• how to develop transparency information
• how to provide transparency and privacy information
• how to assess whether you are being transparent.

The guidance includes a transparency checklist.

ICO Generative AI third call for evidence on accuracy of training data and model outputs

The ICO has published a third call for evidence on generative AI.  This focuses on accuracy of training data and model outputs and closes at 5pm on 10 May 2024.  The call looks at the meaning of accuracy in a generative AI and data protection context and the impact of accuracy as well as the link between purpose and accuracy.  It also looks at the impact of training data on accuracy of output. 

US federal privacy law back on the agenda

A discussion draft of a federal American Privacy Rights Act was published although not introduced on 7 April 2024.  Previous attempts at a federal privacy law have failed but there are hopes this one, which has bipartisan support, may be more successful.  Given the increasingly complex patchwork of privacy laws emerging across the US, there may be more political will to introduce a federal law although there is a long way to go.

The discussion draft proposes among other things:

• An explicit consent requirement for transferring personal data to third parties
• Necessity principle
• Transparency provisions
• A requirement that consent (where required) be as easy to withdraw as to give
• Data subject rights around rectification, deletion and transfer to another service.

EDPS publishes annual report

The EDPS published his annual report for 2023 on 9 April 2024.  It highlights key EDPS activities during 2023.  The EDPS also gave a speech outlining three priority areas for this year:

• Advising on AI regulation to ensure a human-centric approach which complies with fundamental rights to privacy and data protection
• Advising on the draft CSAM Regulation to advocate for inclusion of safety and privacy of digital communications, and
• Advising on privacy matters relating to migration and border management.

The EDPS is also planning various activities to coincide with its 20^th anniversary this year.

ENISA and France look at cloud localisation issues

As reported last week, ENISA is preparing to vote on adoption of the EUCS cloud certification scheme.  Under the latest draft from March, it appears that controversial EU localisation requirements have been dropped in favour of transparency provisions which include information on storage location and data processing methods. Once ENISA adopts the EUCS, the EC will issue implementing legislation under the Cybersecurity Act after which all Member States will be able to adopt the certification scheme should they wish to.  They will be able to pass local laws making the scheme mandatory for specific types of data.

France has already started this process with its SREN Bill which concentrates on health and national security data.  The Bill originally contained capital ownership requirements much like those originally in the EUCS.  The SREN Bill no longer contains these on the face of the Bill but France is expected to introduce requirements by decree within six months of the SREN Bill's enactment.

CNIL publishes final version of initial AI data protection recommendations

The CNIL has published the final versions of its first AI data protection recommendations following a consultation.  Seven "official recommendation sheets" cover how to:

• Determine the applicable legal regime
• Define a purpose
• Determine the legal qualification of the actors
• Define a legal basis 
• Carry out tests and verifications in the event of data reuse
• Carry out an impact analysis if necessary
• Take data protection into account when making system design choices
• Take data protection into account in data collection and management.

A summary of the recommendations has also been published.

The CNIL will go on to publish further sheets on designing and training GDPR-compliant models, data recovery, the use of legitimate interests as a lawful basis, and data subject rights.

European Parliament adopts position on Regulation on additional GDPR procedural rules

The European Parliament adopted its negotiating position on the draft Regulation laying down additional procedural rules relating to the enforcement of the GDPR on 10 April 2024.  Among the changes to the European Commission's proposal are:

• Allowing concerned SAs to have instant, unrestricted and continuous access to joint case files and giving concerned parties access to all information except internal deliberations
• Setting clearer deadlines to speed up enforcement procedures
• Clarifying the rules on amicable settlements.

Once the Council adopts its own negotiating position, the draft Regulation will proceed to the trilogue stage.

European Parliament adopts further interim Regulation on ePrivacy Directive derogations

On 10 April 2024, the European Parliament adopted the Regulation permitting continuation of certain derogations of the ePrivacy Directive under an Interim Regulation to combat child sexual abuse online on 10 April 2024.  The original Interim Regulation is being extended to 3 April 2026 to allow time for the EU's CSAM Regulation to come into effect.  The Council now needs to adopt the Regulation which will then be published in the Official Journal.

News as at 10 April 2024

ICO's priorities for protecting children online - 2024-25

The ICO has set out its priorities when it comes to protecting children online during 2024-25. The ICO's Children's Code strategy will focus on:

• default privacy and geolocation settings
• profiling children for targeted advertisements
• using children's information in recommender systems
• using information of children under 13.

The ICO will work closely with Ofcom in its capacity as regulator of the Online Safety Act, and with international regulators.  Its work will include information gathering engagement and supervision as well as enforcement.  It intends to publish a call for evidence in Summer 2024 to gather input from a wide range of stakeholders.

ICO joins Global Cooperation Arrangement for Privacy Enforcement

On 4 April 2024, the ICO signed up to a new international multilateral agreement with the Global Cooperation Arrangement for Privacy Enforcement (Global CAPE). This is intended to facilitate cooperation in cross-border data protection and privacy enforcement.  Other members include the USA, Australia, Canada, Mexico and Japan.

Amazon appeals CNIL fine

Amazon is appealing the €32m fine handed down to Amazon France Logistique by the CNIL relating to issues with a tracking system at one of its warehouses.  The CNIL found the system was "excessively intrusive" – a finding with which Amazon strongly disagrees.

Google settles 'Incognito mode' US lawsuit

Google has reportedly settled a US class action lawsuit which alleged that Google continued to collect user data even when they were browsing in 'Incognito mode'. Google agreed to delete data collected from the Incognito mode and to enable users of the Incognito mode to block third-party cookies by default. Google reiterated its belief that the claim was "meritless" and said the data collected was technical data which did not identify individuals.  The settlement must now be approved by the courts.

A&T suffers huge data breach

US retail wireless carrier A&T has said personal data of 7.6m current users and 65.4m former users has been leaked on the dark web. The data is thought to be from 2019 or earlier. A&T has not yet confirmed the source of the breach.  It says that the leak has not materially affected users but has re-set millions of customer passwords.

Cloud service security developments in the EU and US

The latest ENISA draft of the EU Cloud Service Scheme (EUCS) published in March 2024, which aims to set up a cyber security certification regime for cloud services, suggests the EU will drop the controversial sovereignty requirements that cloud service providers should only be operated by EU-based companies with no non-EU entity exerting effective control. Previous drafts had already watered these provisions down and they are absent from the March 2024 draft.

Meanwhile, the US Cyber Safety Review Board has recommended that all cloud service providers improve security and build resilience against attacks.  It has also said it plans to develop guidance for major cloud service providers following a review of the 2023 Microsoft Exchange Online data breach which exposed the email addresses of US and EU government officials. 

News as at 28 March 2024

ICO publishes new fining guidance

On 18 March 2024, the ICO published new fining guidance setting out how it decides to issue penalties and calculate fines. Publication follows consultation on a draft published in 2023. The guidance is intended to provide greater transparency for organisations. It sets out the legal framework which gives the ICO the power to impose fines, how the ICO will approach key questions including identifying a wider undertaking or economic entity and the methodology of fine calculation using the following five steps:

• Step 1: assessment of the seriousness of the infringement
• Step 2: accounting for turnover
• Step 3: calculation of the starting point
• Step 4: aggravating and mitigating factors
• Step 5: adjustment to ensure the fine is effective, proportionate and dissuasive.

House of Lords Committee call for evidence on EU adequacy agreement

The House of Lords European Affairs Committee issued a call for evidence on the existing arrangements for EU UK data adequacy on 15 March 2024. It focuses on the existing arrangements and how effective they are, possible challenges to the regime, the implications of a disrupted or no adequacy scenario, taking into account proposals under the DPDI Bill, and lessons learned from other countries' adequacy systems.

The call closes at 12pm on 3 May 2024 and the Committee aims to report by July 2024. The European Commission is due to review the UK adequacy decision by June 2025.

EDPB expected to deliver opinion on 'pay or OK' in mid-April

The EDPB is expected to give its views on the 'pay or OK' subscription model used by Meta and others in mid-April. In the meantime, IAB Europe and others have written to the EDPB supporting the model and urging it to follow existing case law. Meta has said it plans to reduce its subscription fee from €9.99 to €5.99 per month for its ad-free version. One of the criticisms levelled at its model is that the cost of the ad-free version is arbitrary and too high so this looks like an attempt to allay those concerns.

EU Political Advertising Regulation published in Official Journal

The EU's Regulation on transparency and targeting of political advertising was published in the Official Journal on 20 March 2024. This applies to certain types of political advertising disseminated in the EU, brought in to the public domain in one or more Member States, or directed at EU citizens regardless of country of origin and means used to publish. The Regulation will apply from 10 October 2024 with Articles 3 (definitions) and 5(1) (restrictions on providers of political advertising services) applying from date of entry into force.

US House of Representatives approves data transfer legislation

The US House of Representatives approved the Protecting Americans' Data from Foreign Adversaries Act.  This prohibits data brokers from sharing sensitive personal data with an entity controlled by a designated 'country of concern'. This includes a company which is more than 20% owned by an entity in a designated jurisdiction. 

ECJ ruling on processing of employee health data

On 2 February 2024, the ECJ ruled in a reference from Germany on issues around the processing of employee health data where the controller is a medical service that creates reports on insured persons' fitness for work. 

The ECJ held that the exception to the prohibition on processing special data in 9(2)(h) (processing necessary for preventative or occupational medicine for the assessment of the working capacity of an employee) does apply where a medical examination body processes the data not as an employer but as a medical service, subject to other relevant conditions being met.  Article 9(3) does not require a controller to ensure that no colleagues of the employee concerned are able to access the data.  In addition, at least one of the Article 6(1) conditions (lawful basis) must be met.

The ECJ also said that Article 82(1) (compensation) must be interpreted to mean that financial compensation payable in accordance with that Article should be compensatory not punitive or dissuasive and that while fault of the controller had to be established to award compensation, the seriousness of the fault need not be take in into account when awarding non-material damages.

Interoperable Europe Act published in Official Journal

The Interoperable Europe Act was published in the Official Journal on 22 March 2024.  It introduces a co-operation framework for public administrations in the EU to facilitate cross-border exchanges of data.  The intention is to ensure interoperable digital solutions and tools to help remove administrative burdens.  The Act enters into force on 11 April 2024 and will largely apply from 12 July 2024, with limited provisions applying from 12 January 2025.

Government blames China for cyber attacks on Electoral Commission and MPs

The UK government has attributed cyber attacks on the Electoral Commission and MPs to China-sponsored hackers. China has denied carrying out the attacks.  Analysts have warned that cyber attacks linked to China are increasing and both the UK and US governments announced sanctions against Chinese companies and individuals they say are linked to the attacks.

News as at 20 March 2024

European Parliament adopts AI Act

The European Parliament approved the AI Act on 13 March 2024. The AI Act will now be formally adopted and published in the Official Journal coming into force 20 days later. Publication of the final text in the Official Journal is unlikely to take place before the end of April/early May. Prohibitions on unacceptable risk AI will apply six months after this. Rules on general purpose AI will apply after a year, and it will be two years before the full Act applies. 

European Parliament adopts Cyber Resilience Act

On 12 March 2024, the European Parliament adopted the Cyber Resilience Act. The CRA will set out provisions for the security of connected products. Obligations will apply across the supply chain but particularly to manufacturers. Products will be classified according to risk level with high-risk products having to go through independent conformity assessments. There are also requirements around software updates of relevant products.

The CRA will now be formally adopted before being published in the Official Journal and coming into force twenty days later. The majority of the provisions will apply three years after that with some coming in earlier.

Provisional political agreement reached on European Health Data Space

The European Council and Parliament reached provisional political agreement on the Regulation to establish a common European Health Data Space on 15 March 2024. The agreed compromise text amends the initial proposal including by:

• introducing an opt-out for patients who do not want their health data to be accessed whether for primary or secondary use, except for purposes of public interest, policy making, statistics and research purposes in the public interest
• allowing patients to restrict information so that healthcare professionals will only be able to access it in situations of vital interest
• allowing Member States to put in stricter measures governing access to certain kinds of sensitive data, such as genetic data for research purposes
• enabling Member States to reduce the administrative burden by establishing trusted data holders that can securely process access requests
• allowing reporting of clinically significant findings about a patient whose data is used in research to the trusted data holder who must then inform the patient or relevant healthcare provider.

The Regulation is expected to be adopted later this year and will apply one year later. 

Government response to Joint Committee's recommendations on ransomware

On 11 March 2024, the House of Commons Joint Committee on National Security published the government's response to its consultation and subsequent recommendations on tackling ransomware. The Committee's press release was headed "Government's "ostrich strategy" in response to large and imminent national cyber-threat does not reassure". The government rejected key recommendations including:

• to create a single cross-sector regulator to oversee the implementation of the NIS Regulations
• to intervene in the cyber insurance market to help lower premiums
• to establish a central reporting mechanism for ransomware attacks and a three month mandatory reporting duty.

The government has agreed to consider the Committee's proposals to reform the Computer Misuse Act but rather than act "urgently" as suggested by the Committee, it has not stipulated at timeframe. It has, however, pointed to related actions it is taking including:

• its commitment to improve and reform the NIS Regulations "when Parliamentary time allows"
• work by the ICO and under the National Cyber Strategy to get the Association of British Insurers to release anonymised cyber breach data to help improve modelling
• the £20m investment to replace Action Fraud with an improved reporting system during the course of this year.

ECJ says DPAs can order data erasure even in absence of data subject request

On 14 March 2024, the ECJ ruled in a reference from Hungary, that a Member State DPA can make an own-volition order to delete unlawfully processed personal data, even in the absence of a prior request made by the data subject. This is because the DPA has a duty to remedy GDPR infringement and a failure to act would mean the controller could retain the data and continue to process it unlawfully. This is true whether the data originated directly from the data subject, or from another source.

Government passes legislation to amend the DPA 18 immigration exemption

The Data Protection Act 2018 (Amendment of Schedule 2 Exemptions) Regulations 2024 were made on 7 March 2024. They amend the immigration exemption in paragraph 4 of Part 1 of Schedule 2 to the Data Protection Act 2018 following the Court of Appeal decision which held the previous version to be incompatible with Article 23(2) GDPR.

Garante requests information from OpenAI on Sora

The Italian DPA, the Garante, gave OpenAI 20 days from 8 March to respond to a request for information on whether its AI video generator Sora will be made available to EU users, and to provide more information about it. The Garante wants to understand whether Sora complies with GDPR requirements.

News as at 13 March 2024

'Pay or OK' model under increasing ICO and EU scrutiny

Following ECJ rulings which effectively determined that the only lawful basis available to Meta for targeted advertising was consent, Meta and others switched to what is known as the 'pay or ok' model. This gives users the choice between an ad-free subscription model and agreeing to the use of their personal data for targeted advertising purposes in exchange for a free service.

The EDPB is already scrutinising the model following requests from Member State DPAs amid concerns that consent cannot be said to be freely given in this situation, and that the charging model is insufficiently transparent and potentially unfair. In the UK, the ICO has launched a call for views on the model. However, in the EU, challenges to the model directed at Meta come not only from data protection law but also competition and consumer protection law and the EU's Digital Services Act.  

In the last couple of weeks alone:

• The ICO launched a call for views on what it describes as the less catchy "consent or OK" model for website access on 6 March 2024.  It invites publishers, advertisers, intermediaries, civil society, academia and other interested stakeholders to respond and help it inform its position.  The ICO highlights what organisations should take into account when considering whether the model is right for them and their users.  The ICO has also written to the Association of Online Publishers and the Internet Advertising Bureau UK setting out its views on various online advertising models and how to give users a fair choice over how their personal information is used, while waiting for views on the 'consent or ok' model before venturing an opinion on that.  The ICO says it will issue updated guidance for consultation in relation to the use of cookies after the DPDI Bill receives Royal Assent and expects to be able to provide more detailed guidance on the interplay between consent for targeted advertising and functionality that can be considered intrinsically linked on a technical level for that purpose.  The ICO welcomes changes made by 80% of the 53 organisations it approached about their cookie practices and is now focusing on the next 100 most frequented websites.  It warns that its next announcement in this space will be about enforcement action against organisations which have ignored the law.

• On 1 March 2024, the European Commission issued Meta with a formal request for information under the Digital Services Act relating to its 'pay or OK' model.  Meta is asked to provide more information related to its ad-free subscription models for Facebook and Instagram in response to a request for information issued in October 2023, in particular, steps it has taken to comply with its obligations concerning Facebook and Instagram's advertising practices, recommender systems and risk assessments related to the introduction of the subscription option.  The RFI also covers other issues beyond the 'pay or ok model' including on risk assessment and mitigation measures reports, protection of minors, elections and manipulated medial, as well as the practice of 'shadow banning' and the launch of Threads.   Meta is required to respond on the elements relating to the October RFI by 15 March and to the new elements by 22 March 2024.

• On 29 February 2024, BEUC (the European consumer protection group) announced that eight of its members had filed complaints to the national data protection regulators about Meta's 'pay or OK' model.  The complaints argue that the model does not follow the principles of fair processing, data minimisation or purpose limitation. Concerns are that the data collected is excessive, going beyond what is necessary to target ads, Meta uses its dominant position to force users into accepting the free model without providing sufficient information, and that there is insufficient transparency about the extent of data processing.  They also argue that consent is not freely given and that the screen presenting the options to consumers coerces them into accepting the free model.  BEUC members also argue that there is insufficient information to explain why the subscription price is set as it is.

ECJ rules on IAB Europe TCF reference

In 2022, the Belgian Data Protection Authority held that the TC string used in IAB Europe's Transparency and Consent Framework constitutes personal data.  It also found that IAB Europe was a joint controller of that personal data.  IAB Europe appealed the decision before the Brussels Court of Appeal which made a reference to the ECJ.  On 7 March 2024, the ECJ agreed with the Belgian DPA on these two issues.  It also held that IAB Europe should not necessarily be viewed as a joint controller in relation to the subsequent data processing performed in pursuit of the TCF purposes.  The case now returns to the Brussels Court of Appeal.  IAB Europe acknowledged the decision.  The Belgian DPA's initial decision has been suspended pending the outcome of the appeal.  IAB Europe says it will publish a more detailed analysis of the ECJ ruling shortly. See our article for more.

EDPS finds European Commission's use of Microsoft 365 breaches data protection law

On 11 March 2024, the European Data Protection Supervisor concluded that the European Commission has infringed key data protection rules when using Microsoft 365.  It orders the EC to suspend all data flows resulting from its use of Microsoft 365 to Microsoft, and to its affiliates and sub-processors located in countries outside the EU/EEA not covered by an adequacy decision.  The EDPS also orders the Commission to bring the processing operations resulting from its use of Microsoft 365 into compliance with Regulation 2018/1725 (which relates to processing of personal data by Union institutions and bodies).  All remedial measures are to be applied by 9 December 2024.

In particular, the EDPS found that the EC had failed to introduce supplementary Schrems II measures in relation to its US data transfers.  It had not carried out a transfer mapping exercise, had not ensured that destination countries had equivalent data protection measures to those in the EU, and had concluded SCCs without the appropriate transfer impact assessment or authorisation as required from the EDPS under article 48(3) of Regulation 2018/1725. It was also found to have breached purpose limitation principles and to have failed to ensure required contractual terms in agreements.

ECJ ruling on oral transfer of personal data

On 7 March 2024, the ECJ handed down a preliminary decision in a reference from Finland which related to oral disclosure of personal data.  The ECJ was asked whether oral disclosure of personal data constituted processing of personal data under the GDPR.  The reference was made after Endemol Shine Finland's oral request to a Finnish court for information about criminal proceedings was denied on the basis that disclosure would involve processing personal data.  The ECJ agreed that disclosure would constitute processing of personal data.  The ECJ was also asked about the balance of interests between an individual subject to criminal proceedings and public interest in having information about this.  The court said that given the sensitivity of data relating to criminal convictions, the fundamental rights of the data subject and protection of personal data would likely prevail over public interest in having access to official documents, whether or not the requestor is a company or a private individual and whether the information is disclosed orally or in writing.

FCA report on using synthetic data in financial services

The Financial Conduct Authority has published a report on using synthetic data in financial services.  The report is co-authored by the Synthetic Data Expert Group and the FCA.  It is intended to act as a guide to creating and using synthetic data, focusing on different issues during the data lifecycle, including data augmentation and bias mitigation, system testing and model validation and internal and external data sharing.  Use cases deal with fraud detection, credit scoring, open banking, anti-money laundering and authorised push payment.

ICO response to OSA consultation on illegal harms

The ICO has published its response to Ofcom's first consultation on the Online Safety Act which focuses on protecting people from illegal harms online. The ICO has limited its comments to areas which interact with its data protection remit under current law, noting that the DPDI Bill may amend relevant law when it comes into force. The ICO emphasises that it is essential that users of online services have confidence that their privacy will be protected and while it is not opposed to the recommended content moderation measures in principle, it raises important points of alignment with data protection law.

It considers that the guidance does not currently provide sufficient regulatory certainty to enable services to make a confident assessment about whether content is communicated "publicly" or "privately" and does not challenge Ofcom's evidence base for concluding that factors such as encrypted messaging and anonymity/pseudonymity functionality are risks for illegal harm. It also raises concerns that the guidance could in practice deter services from deploying functionalities such as end-to-end encryption because they are deemed too risky under online safety law.  Data minimisation is another area of concern as the ICO comments on a potential lack of clarity about what personal data is needed to comply with Ofcom's guidance measures.  The ICO recommends that the final guidance and measures ensure services are not incentivised to process more personal data than is needed.

Regional Scheme: a better way to export data from China?

Michael Tan and Thomas Kahl look at the evolving landscape of China's data export laws.

See full article here.

News as at 6 March 2024

ICO second consultation on generative AI

The ICO has published a second call for evidence on generative AI, focusing on purpose limitation in the AI lifecycle.  The first consultation focused on lawful processing of scraped data to train generative AI.

The ICO highlights that the generative AI lifecycle is likely to involve processing different types of personal data for different purposes.  Different organisations may have control at various points.  Having a specified purpose at each stage allows an organisation to understand the scope of its activity, evaluate its compliance with data protection law, and help them evidence that.  Identifying the purpose will allow for compliance with other data protection principles including minimisation, lawfulness, fairness and transparency.

ICO outlines 2024 priorities

The UK's ICO John Edwards, speaking at the IAPP Data Protection Intensive, has outlined his priorities for 2024.  Children's privacy and third party advertising cookies are on the agenda, but the ICO said "the biggest question on my desk" is AI.  The ICO highlighted the importance of complying with data protection law when developing, training and using AI, particularly generative AI, but also stressed the important role to be played by other regulators.

President Biden restricts transfer of sensitive data to countries of concern

President Biden issued an Executive Order on 28 February 2024, directing the Department of Justice to draft regulations to restrict data brokers sending sensitive data of US citizens to foreign adversary countries.  The Executive Order also takes steps to reduce data security risks with respect to telecommunications infrastructure, healthcare, and consumer protection among others.  Countries of concern are expected to include Russia, China, Iran, North Korea, Cuba and Venezuela.

EDPB begins coordinated enforcement action on access rights

The EDPB announced on 28 February 2024, that it had begun its Coordinated Enforcement Action for 2024.  This focuses on rights of access.  31 DPAs are taking part, including seven German State-level regulators.  They have options to send questionnaires to targeted organisations and conduct and/or follow up on formal investigations.  The results of the action will be analysed and help determine whether further action is required.

European Parliament adopts Regulation on data collection and sharing relating to short-term accommodation rental services

On 29 February 2024, the European Parliament adopted at first reading the Regulation on data collection and sharing relating to short-term accommodation rental services.  The Council is expected to adopt the Regulation shortly, after which it will be published in the Official Journal.

The Regulation will require online platforms which facilitate short-term accommodation rentals to comply with registration and data sharing requirements in areas where a registration scheme exists.  Member States will have to set up a single digital entry point for submission of data by the platforms about host activity on a monthly basis.  This will include information about the number of nights of rental, number of guests, and information about the listing.

European Parliament adopts Regulation on transparency and targeting of political advertising

On 27 February 2024, the European Parliament adopted at first reading the Regulation on transparency and targeting of political advertising.  The Regulation is expected to be adopted by the Council shortly and will then be published in the Official Journal.  The Regulation applies to paid-for political adverts in respect of which explicit and separate consent will be needed to use personal data collected from a data subject to target them.  Special category data will not be able to be used to target such adverts.  The rules will apply 18 months after the Regulation enters into force, however definitions and measures on non-discriminatory provision of cross-border political advertising will apply 20 days after publication in the Official Journal.

UK's ICO and USA's FCC sign MoU to prevent predatory marketing

The UK's ICO and the USA's Federal Communications Commission have signed a Memorandum of Understanding pledging to work together to protect people from unwanted marketing communications and the misuse of private and sensitive data.  The MoU sets out how the regulators will share information and best practice including technical developments, to achieve these goals.

ICO guidance for employers sharing staff data in a mental health emergency

The ICO published guidance for employers on sharing staff personal data in a mental health emergency on 1 March 2024.  The ICO stresses that employers can share necessary and proportionate information without delay with relevant and appropriate emergency services or health professionals but recommends planning procedures for doing so ahead of time.  This guidance is part of the wider guidance being published by the ICO for employers.

ICO finds Home Office GPS monitoring of migrants unlawful

On 1 March 2024, the ICO found that a Home Office pilot scheme to use GPS electronic monitoring of migrants breached data protection law because it:

• failed to assess the privacy intrusion of GPS monitoring
• did not provide migrants on the pilot scheme with clear information on what data it was collecting and why
• failed to assess the potential impact on people who might already be in a vulnerable position and not have English as a first language and consider risk mitigation measures.

The ICO said the Home Office failed, throughout the ICO's enquiries, to explain sufficiently why it was necessary or proportionate to collect, access and use people's information via electronic monitoring, including failing to evidence it had considered alternative measures.

ICO's Journalism Code of Practice now in force

The ICO's final Code of Practice on Data protection and journalism was published on 1 February 2024.  It has been approved by the Secretary of State and came into force on 22 February. The Code provides guidance for journalists and media publications on data protection in the context of journalism.  It looks at how to apply the journalism exemption including looking at public interest and freedom of expression.  The Code has statutory force which means it is not legally binding but failure to comply can be taken into account by the courts.

News as at 28 February 2024

ICO publishes new guidance on biometric recognition

The ICO published new guidance on biometric recognition on 23 February 2024, which explains how data protection law applies when using biometric data in biometric recognition systems.   It is aimed at organisations considering using such systems and at the system providers including vendors and developments.  It covers the definition of biometric data, biometric recognition uses, how these involve processing special category biometric data, and the data protection requirements which will apply.   

At the same time, the ICO announced it had issued an enforcement notice against Serco Leisure, requiring it to stop using facial recognition technology and fingerprint scanning to monitor employee attendance.  The ICO said Serco had been unlawfully processing the biometric data of more than 2000 employees at 38 locations.  Serco failed to demonstrate this was necessary and proportionate compared with other less intrusive measures such as ID cards and failed to supply employees with a clear alternative to providing their biometric data.  Due to the imbalance of power between the employees and Serco, there could be no valid consent as the employees would have been unlikely to feel they could say no to the company's use of FRT.

OECD sets up expert group for policy synergies in AI, data and privacy

The OECD has announced it has set up a new expert group for policy synergies in AI, data and privacy.  The intention is to break down silos in recognition of the rise of privacy enforcement actions focused on AI, to address concerns that data protection law may be hindering AI development, and focus on synergies.

McPartland Review of Cyber Security and Economic Growth – call for views

The McPartland Review of Cyber Security and Economic Growth is a government-commissioned independent review of cyber security as a driver of economic growth.  Revenue generated by the sector has jumped from £5.7bn in 2018, to over £10.5bn in 2023 and created an estimated 20,000 jobs.  The review has issued a call for views which focuses on how to facilitate further growth.  The call closes on 28 March 2024.

AG Opinion on sale of database in enforcement proceedings

AG Pikamäe has opined in a reference from Poland which relates to whether and under what circumstances, a database containing personal data may be sold as part of enforcement proceedings (in this case a debt action), without the consent of the data subjects.

The AG opined that:

• the court enforcement officer would become a data controller of the database in order to estimate its value prior to any sale
• the lawful basis for the further processing would be different to the original lawful basis for processing the data so would need to meet the threshold of constituting a necessary and proportionate measure in a democratic society – this would potentially be available
• the processing relating to any sale of the database would be lawful on the basis that it would be necessary for the performance of a task carried out in the exercise of official authority, where the data subjects' rights were balanced against the rights of the creditor who would receive the proceeds of the sale.

News as at 21 February 2024

ICO approves certification scheme for legal professionals

The ICO has approved a certification scheme for legal professionals who process personal data.  Certification helps law firms and other legal professionals demonstrate compliance with data protection requirements and reassure those using their services.  This is the fifth approved certification scheme.  The others cover: offering secure re-use and disposal of IT assets, age assurance, children's online privacy, and training and qualification service providers.

Irish High Court allows Schrems to join Meta cases

The Irish High Court has allowed Max Schrems to join Meta's appeal against the Irish DPC's decision to prohibit Meta from transferring personal data to the USA under its Standard Contractual Clauses and supplementary measures, and the related €1.2bn fine for unlawful transfers.  Both Meta and the Irish DPC opposed the application by Schrems but he was held to be uniquely and directly affected given he was the originator of the initial complaints against Meta.

ICO guidance on content moderation and data protection

The ICO has published guidance on content moderation and how organisations can respect information rights when moderating online content.  The guidance is intended to help organisations caught by the Online Safety Act (OSA) comply with their data protection obligations when moderating content although also applies to organisations carrying out content moderation for other reasons. 

The guidance defines content moderation as "the analysis of user-generated content to assess whether it meets certain standards; and any action a service takes as a result of this analysis".  Definitions used in the OSA are followed but the guidance does not deal with OSA compliance.  The guidance looks at how to assess and mitigate risks when carrying out content moderation, how to make sure use of personal information is fair and lawful, information requirements, data protection principles and data subject rights.  It also covers issues including data transfers and automated processing so is wide-ranging.

The guidance may be updated once Ofcom completes relevant guidance and codes of practice.

Collective proceedings against Meta given go-ahead

An amended collective proceedings application brought by Dr Lovdahl Gormsen against Meta has been accepted by the Competition Appeal Tribunal.  The original application was turned down when the CAT found the methodology for establishing loss on a class-wide basis was inadequate.  The CAT finds that the amended application articulates abuses by Meta which are arguable and triable.  The proceedings relate to Meta's alleged abuse of dominance which led it to impose terms and conditions on users, unfairly requiring them to disclose unnecessary and disproportionate personal data in exchange for use of the service, as well as imposing unfair and anti-competitive terms and conditions.

ECJ narrows scope to claim non-material damage for fear of future misuse of personal data

The ECJ has given a ruling on a customer's claim for compensation for non-material damages after his personal data was disclosed to a third party due to employee error.  The data was recovered and returned and not used by the third party.  The ECJ held that the mere fact that a document is provided in error to an unauthorised third party is not sufficient to consider the controller did not take appropriate technical and organisational measures to protect the data.  Article 82 does not require severity of infringement to be taken into account when assessing damages, and Article 82(1) indicates damages should be compensatory not punitive.  In a situation where the unauthorised third party is not even aware of the wrongly disclosed personal data, there is no non-material damage just because the data subject fears there may be disclosure or misuse of that personal data in future,  As such, the ruling narrows the scope of the December 2023 judgment in VB v Natsionalna agentista za prihodite which found that fear of misuse of personal data by third parties following a GDPR infringement can give rise to a claim for non-material damages.

EDPB Opinion on main establishment and one-stop-shop

The EDPB has adopted an Opinion on the notion of main establishment and on the criteria for the application of the one-stop-shop mechanism.  The Opinion clarifies the meaning of "main establishment".  To qualify, it must be where the decisions on the purposes and means of data processing are taken and not just the place of central administration in the EU.  If there is no decision-making function in the EU, there will be no main establishment for GDPR purposes and the controller will not be able to participate in the one-stop-shop mechanism.

EDPB statement on CSAM Regulation

The EDPB has published a statement on the legislative developments on the proposed Prevention of Child Sexual Abuse Material (CSAM) Regulation.  The EDPB welcomes many of the amendments proposed by the European Parliament, including exempting end-to-end-encrypted communications from detection orders.  However, the EDPB also says it regrets that some of the issues it and the EDPS flagged in their joint Opinion on the draft have not been fully resolved, in particular those relating to general and indiscriminate monitoring of private communications via detection orders.  The EDPB is concerned that detection orders might be used against people unlikely to be involved in CSAM-related crimes and may not be limited to CSAM content.

DSIT publishes Introduction to AI Assurance and notice on AISI safety evaluation

DSIT has published an Introduction to AI Assurance.  This is the first set of guidance in a series planned to help organisations and regulators with AI assurance and governance.  The guidance includes a toolkit and sets out key actions to help organisations improve their understanding of AI assurance, implement effective internal governance processes, and engage with AI standardisation.  Sector specific guidance on AI assurance will follow.  This guidance sits within the DSIT AI Assurance portfolio.

DSIT and the AI Safety Institute (AISI) also published a notice (which includes case studies) setting out information about the safety evaluation techniques the AISI will use.  The focus will initially be on AI misuse, societal impact and autonomous systems.  The AISI is not considered to be a regulator but its work will inform UK policy making and provide technical tools to assist with governance and regulation.

Regulators who are in the frame on AI (including the ICO) and relevant Ministers, have been sent letters from the Secretary of State asking them to set out their strategic approach to AI and the steps they are taking in line with expectations set out in the government's AI White Paper.  They are asked to do this by 30 April 2024.

News as at 14 February 2024

UK government response to consultation on AI White Paper

The Department for Science Innovation and Technology (DSIT) has published a response to the consultation on the government's AI White Paper. The government's overall strategy has not changed as a result of the consultation. It confirms it will not be introducing AI-specific legislation although recognises it may be needed in future, particularly in relation to the most advanced (or highly capable) general-purpose AI. For now, the intention is to rely on sector-based regulation informed by the five (unchanged) AI principles:

• safety, security and robustness
• appropriate transparency and explainability
• fairness
• accountability and governance
• contestability and redress.

Regulators including Ofcom, the ICO, the CMA, FCA and MHRA are to publish an outline to their regulatory approach by 30 April 2024. This should include:

• an outline of the steps they are taking in line with the expectations set out in the White Paper
• an analysis of AI-related risks in the sectors and activities they regulate and the actions they are planning to take to address these
• an explanation of their current capability to address AI as compared with their assessment of requirements and the actions they are taking to ensure they have the right structures and skills in place, and
• a one-year strategic plan.

The regulators will be supported by new guidelines and the AI Standards hub, and their obligations will be on a non-statutory basis.  While the government noted there was support for a central AI regulatory function in the responses, it does not propose a single, central regulator but instead points to steps it is already taking to help regulator coordination. 

One area where the government does propose to legislate is in relation to automated decision making. In order to simplify the current framework, the government says it will use the Data Protection and Digital Information Bill to expand the lawful bases for processing personal data to reach solely automated decisions which have a legal or similarly significant effect on individuals.  It plans to replace the current Article 22 of the UK GDPR with new specific safeguards for automated decision making including information requirements and redress and review rights for individuals. Automated decision making which produces a legal or similarly significant effect will be prohibited where special data is being processed unless the lawful bases of consent, contractual necessity or being subject to a legal obligation can be relied upon where relevant. In the latter two cases, the processing must be in the substantial public interest.

The government also announced:

• that the Centre for Data Ethics and Innovation will become the Responsible Technology Adoption Unit
• various funding commitments, notably £100m for new AI innovation and to enhance the capability of relevant regulators
• it will not ask the IPO to produce a voluntary code of practice on copyright and AI.

The response sets out a roadmap for 2024 actions although the government's ability to carry these out will be subject to the timing and outcome of the General Election.

ICO reminds app developers to prioritise privacy

Following its scrutiny of period and fertility tracker apps last year, the ICO has concluded there were no serious compliance issues or evidence of harms.  It has, however, decided to remind all app developers to focus on privacy as its review showed a need for general improvements. The ICO stresses the need to be transparent, obtain valid consent, establish the correct lawful basis and be accountable. The ICO will share advice to app users on how to protect their privacy shortly.

ICO publishes second Tech Horizons report

The ICO has published a Tech Horizons report which looks at the implications of eight technologies it believes will significantly impact our societies, economies and information rights in the next two to seven years.  The report looks at the privacy implications of genomics, immersive virtual worlds, neurotechnologies, quantum computing, commercial drone use, personalised AI, next-generation search, and central bank digital currencies.

CMA concerns over Google's third-party cookie phase out

The CMA's latest report on Google's commitments relating to its Privacy Sandbox,  covering Q4 of 2023, raises continuing competition concerns. The CMA says that Google has complied with the commitments, however, further progress is needed to resolve competition concerns before third party cookies can be phased out.

CNIL and Dutch DPAs set out priorities for 2024

The Netherlands DPA has said that cookies will be a major focus for 2024.  It will check websites more often to see whether they get appropriate consents to tracking cookies and ensure websites are not using misleading or confusing cookie notices.

Meanwhile, the CNIL has said its priorities for 2024 will include data collection in the context of the Olympics and Paralympics, the collection of children's personal data online, loyalty programs and digital receipts, and data subject access rights.

Draft Regulations to amend the DPA18 immigration exemption

The government has tabled draft Regulations intended to bring the immigration exemption under the Data Protection Act 2018 into compliance with the law as required by the Court of Appeal.  The Regulations will introduce a number of safeguards to ensure immigration exemption decisions are made on a case by case basis and in accordance with all applicable laws, and that data subjects are kept informed throughout.  The ICO has welcomed the changes.

Shanghai to make it easier to export Chinese personal data

The Shanghai government has said it will introduce a new approval scheme to fast-track approval for the export of Chinese data by multinationals.  The system will be exclusive to Shanghai, with the rest of the country continuing to follow existing transfer rules.

EU Implementing Regulation on certification under the Cybersecurity Act published in Official Journal

The Regulation for an EU common criteria-based cybersecurity certification scheme (EUCC) has been published in the Official Journal.  This is the first cybersecurity certification scheme under the Cybersecurity Act intended to enhance cybersecurity of ICT products, services and processes.  Further schemes are planned on cloud services and 5G security.  The voluntary scheme provides for two levels of risk assurance – substantial or high - subject to the intended use of the product, service or processes being certified.  It enters into force on 27 February 2024.

News as at 6 February 2024

ICO calls for proactive action on advertising cookies

The ICO has called for organisations to take proactive action to make advertising cookies compliant with data protection law, notwithstanding a positive response to its warnings to top websites.  In November 2023, the ICO wrote to 53 of the UK's top 100 websites, warning them that their use of advertising cookies was not compliant with data protection law and that they would face enforcement action if they failed to take action.  The ICO says 38 of the organisations have since taken action to ensure compliance, a further four will reach compliance by the end of February 2024, and others are looking to develop alternative solutions including contextual advertising and subscription models. The ICO intends to provide further clarity on lawful implementation of these alternative models in the next month. 

The ICO is preparing to write to the next 100 websites and is developing an AI tool to help identify websites using non-compliant cookie banners.  However, the ICO urges non-compliant organisations to take proactive action rather than waiting for the ICO to contact them.

ICO campaign for safe sharing of children's data

The ICO has launched a campaign to promote responsible sharing of children's data. The ICO is working with education, law enforcement and social services organisations to raise awareness about responsible data sharing in order to protect children from harm.  The 'Think. Check. Share.' campaign demonstrates how data protection law can help organisations share children's information when required to safeguard children and young people.  The ICO has also created a toolkit of resources, and partnered organisations can use the ICO logo to co-brand materials.  The campaign follows September 2023's 10-step practical guide on sharing information to safeguard children.

ICO consults on Enterprise Data Strategy

The ICO is consulting on its draft Enterprise Data Strategy (EDS).  Developed in line with the ICO25 strategic plan, the EDS outlines how the ICO will use its own data to inform and direct its corporate, regulatory and strategic priorities.  Views are sought from business, the public sector, civil society and interested individuals.  The ICO seeks to understand how data it holds should be made available in the public interest to help organisations innovate and mitigate risk. The deadline for responses is 12 March 2024 and the ICO plans to publish a final version of the EDS and a roadmap in May 2024.

EDPB website audit tool

The EDPB has published a website auditing tool to support controllers and processors as well as DPAs in conducting data audits.  The free, open source tool allows preparing, carrying out and evaluating audits and is compatible with other EDPB/EDPS tools.

ENISA report on engineering personal data protection in EU Data Spaces

ENISA has published a report which aims to contextualise the main design principles for engineering data protection in Common European Data Spaces.  The report goes through two hypothetical use cases focused on pharmaceuticals and considers the role of data protection engineering, DPIAs and accountability.

Uber fined €10m for data protection failings

The Dutch and French DPAs have fined Uber €10m for failing to disclose its data retention periods to EU drivers, and for making it unnecessarily complicated for drivers to request access to their personal data.  The Dutch DPA noted that these "low impact" issues had since been fixed and dismissed the vast majority of driver claims as unfounded.

Garante notifies OpenAI of data protection breaches

The Italian DPA, the Garante, has sent OpenAI a notice informing it of alleged breaches of data protection law relating to ChatGPT.  The Garante, announced an immediate ban on ChatGPT and an investigation into its parent company OpenAI's GDPR compliance in March 2023.  The Garante said OpenAI did not have a lawful basis for processing such large amounts of personal data to train ChatGPT, and did not verify the age of users thereby exposing minors to unsuitable answers.  It also had concerns about transparency and data security following a data breach.  While disagreeing with the Garante's findings. OpenAI temporarily disabled access to ChatGPT in Italy. 

Other EU regulators also began to scrutinise OpenAI and the EDPB set up a dedicated task force to foster cooperation and exchange information on possible enforcement actions conducted by data protection authorities.  The Garante, subsequently lifted its ban subject to OpenAI making changes to its privacy practices, including around transparency, lawful basis, and age verification for Italian users. The Garante now says it will take account of the work in progress by the EDPB task force and OpenAI can submit counterclaims within 30 days.

AG Opinion on consumer protection proceedings for infringement of data protection law

AG de la Tour has opined in a reference from Germany's Federal Court of Justice.  The reference asked whether failure to take appropriate measures under Article 12(1) GDPR to provide Article 13(1) required information is a breach of data subject rights and whether, consequently, a representative action brought by a consumer protection association based on such an infringement should be allowed to proceed in accordance with Article 80(2).  The AG opined that such a breach could give rise to such proceedings.  The referring case relates to a challenge to a consumer representative body bringing an action against Meta Platforms Ireland, alleging it had failed to provide fair processing information to users of free games available in its app centre.

COREPER approves EU's AI Act

The EU's AI Act has been approved by the Council of the European Union's Committee of Permanent Representatives (COREPER). The Act now moves on to adoption by the European Parliament with a committee vote scheduled for 13 February and the full plenary vote expected on 10 or 11 April. Following adoption by the Parliament, the AI Act will be formally adopted and published in the Official Journal, coming into force 20 days later.

EU-Japan protocol facilitates cross-border data flows

The EU and Japan have signed an economic partnership agreement agreed in October 2023.  The protocol includes provisions on cross-border data flows with the aim of providing greater legal certainty that data flows between the two jurisdictions will not be hampered by unjustified data localisation measures.

News as at 31 January 2024

Call for evidence on draft Cyber Governance Code of Practice

The government has published a Call for evidence on the draft Cyber Governance Code of Practice.  The Code sets out the critical governance areas directors need to tackle in order to protect their organisations.  It is intended to help directors and senior leaders take appropriate steps to protect against cyber attacks.  The Code has been developed together with the National Cyber Security Centre.  It focuses on ensuring companies have detailed breach response plans which are robust and regularly tested, together with breach incident reporting processes.  Organisations are also encouraged to prioritise cyber security and ensure employees are properly educated about risks and their mitigation. 

Views are sought in particular about the design of the Code, how government can drive its use, and about the pros and cons of an independently assessed assurance process against the Code. The call closes on 19 March 2024.

Government response on software resilience and security for businesses and organisations

The UK government has published its response to the call for views on software resilience and security for businesses and organisations.  The government proposes a new voluntary code of practice for software vendors setting out the security obligations for organisations that sell software commercially.  It will place responsibilities on organisations profiting from the sale of software (rather than on unpaid OSS developers or customers).  Guidance will be provided to help suppliers, including for those supplying software used in high-risk situations eg by government or in critical infrastructure.  Further resources will be provided to help with accountability and to help customers with software procurement and maintenance.

Global Privacy Enforcement Network to look at dark patterns

The Global Privacy Enforcement Network has announced it will carry out a privacy sweep between 20 January and 2 February, looking at deceptive design patterns (dark patterns) used by websites and apps to influence people into making potentially harmful choices relating to their privacy.  The intention is that based on the outcome, participating regulators will organise awareness activities on the issue and, potentially, launch investigations and enforcement actions. 

EDPB asked to decide on 'pay or OK' behavioural advertising models

The EDPB has been asked by DPAs from Netherlands, Norway and Hamburg, to take a position on the 'pay or OK' model for targeted advertising – ie where users are given a choice between paying for an ad-free service, or allowing behavioural ads in return for a free service.  Meta has announced a move to this structure following the EDPB's decision that it could not rely on legitimate interests or contractual necessity as a lawful basis for its targeted advertising.

Government consultation on digital identities and age assurance to help prevent sales of alcohol to under-18s

The government is consulting on whether to amend the Licensing Act to allow digital identities and age assurance technology to play a role in age verification for alcohol sales in England and Wales, and when age verification should take place for distance sales.  Part of this involves looking at whether measures to prevent the sale of other age-restricted products being sold to children online have been successful.  The consultation closes on 30 March 2024.

Digital Government (Disclosure of Information) (Identity Verification Service) Regulations 2024 made

The Digital Government (Disclosure of Information) (Identity Verification Service) Regulations 2024 have been made under the Digital Economy Act 2017, and will come into force on 8 February 2024.  Their objective is to enable individuals to create a reusable digital identity in a convenient, secure and efficient way and to provide support for the administration and delivery of such services.   Specified public authorities are permitted to check and share government-held personal data in order to make it easier for individuals to prove their identity when accessing digital services.

EC AI innovation package

The European Commission launched an AI innovation package to support AI startups and SMEs. The package includes:

• Adoption of a Decision to establish the European AI Office.  The Decision will take effect on 21 February.  The AI Office will be created within the Commission to oversee the most advanced AI models, contribute to fostering standards and testing practices, and enforce EU-wide rules.  The Office will be advised by a scientific panel of independent experts, in particular about GPAI systems, foundation models, and material safety risks.  It is intended to become a central coordination body for AI policy at EU level.
• An amendment of the EuroHPC Regulation to set up AI factories
• An EU AI Start-Up and Innovation Communication which makes provision for financial support and initiatives to up-skill the EU's talent pool, encourage investment in AI, accelerate the setting up of Common European Data Spaces to be made available to the AI community, and the GenAI4EU initiative to support the development of novel use cases.
• Two European Digital Infrastructure Consortiums with a number of Member States, to help develop a common European infrastructure in language technologies, and to help cities take advantage of AI tools.
• A Communication outlining the Commission's own strategic approach to the use of AI.

UK government publishes Generative AI Framework for government bodies

The government has published non-statutory guidance for HM Government on using generative AI safely and securely for civil servants and people working in government organisations. The guidance looks particularly at compliance with data protection law and ethical considerations.  It is based around ten principles and focuses on fairness, collaboration, education, the importance of human oversight, safety and security.

NCSC report on near-term impact of AI on the cyber threat

The National Centre for Cyber Security has published a report looking at the cyber threats posed by AI over the next two years.  It concludes that AI will certainly increase the volume and impact of cyber attacks but suggests the threat will be uneven.   It notes that many threat actors already use AI but as AI capability becomes more sophisticated, attacks will become more effective.  The report analyses which threat actors will be most likely to have enhanced capability and the impact that is likely to have.

News as at 25 January 2024

ICO updates Opinion on age assurance to take account of the Online Safety Act

The ICO has updated its 2021 age assurance Opinion to:

• provide guidance on what online services need to do if they are likely to be accessed by children
• reflect technological developments
• explain legislative developments and how organisations can comply with data protection law while also complying with the Online Safety Act's requirements on using age verification/assurance.

EC upholds eleven adequacy decisions

The European Commission has published a report upholding the adequacy decisions for Andorra, Argentina, Canada, the Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay (11 of the current 16 adequacy decisions).  In some cases, the Commission makes recommendations for further protections, but essentially finds these countries continue to provide an adequate level of protection to EU personal data.

EDPB report on coordinated enforcement action on DPOs

The EDPB has published its report on its 2023 coordinated enforcement action which focused on the role of the DPO.  23 EEA Data Protection Authorities launched investigations and analysed over 17,000 responses.  The EDPS also reported on the role of the DPO in internal EU institutions. The report concludes that the majority of DPOs said they have the necessary skills and knowledge to carry out their work, have suitable training and clearly defined tasks, adequate resources and the required independence.  However, insufficient resources or knowledge and lack of independence were cited by some.  As a result, the report makes recommendations for organisations, DPOs and DPAs. These centre on awareness-raising and incentivisation by DPAs and recommend organisations improve the safeguards to maintain independence, provide sufficient resources and training for DPOs, and institute clear reporting lines.

EDPB case digest on one stop shop data security and breach cases

The EDPB has published a case digest of one stop shop decisions on data security and breach notification relating to Articles 32-34 GDPR. The case digest shows how DPAs have interpreted and applied these parts of the GDPR, offering summaries and analyses of the decisions.

New Jersey latest US State to enshrine Privacy Bill

New Jersey's Privacy Bill has become law and will take effect on 17 January 2025.  The law will apply to organisations controlling or processing data of at least 100,000 individuals or holding data on at least 25,000 individuals while generating revenue from the information.  Processing solely for the purpose of completing a transaction is explicitly excluded from scope.

CNIL fines Yahoo! €10m for cookie breaches

The CNIL has fined Yahoo! €10m for consent failings in relation to cookies.  The CNIL found that in 2020, around 20 advertising cookies were dropped on user devices whether or not consent had been given.  The CNIL also found that users of Yahoo! Mail were informed they would lose access to the messaging service if they withdrew consent to cookies.  As no alternative was given to accessing the service without consenting to cookies, the consent could not be said to be freely given.

News as at 17 January 2024

ICO launches consultations on generative AI

The UK's ICO has launched a series of consultations looking at how aspects of data protection law should apply to the development and use of generative AI. The ICO is seeking views from a range of stakeholders including developers and users of generative AI , legal advisors and consultants, civil society groups and interested public bodies. The consultations will be on a series of chapters setting out the ICOs thinking on how to interpret specific requirements of the UK GDPR and Part 2 of the DPA 18 in relation to pressing questions including about:

• appropriate lawful basis for training generative AI models (the ICO suggests this is likely to be legitimate interests, subject to the outcome of a legitimate interests assessment)
• use of the purpose limitation principle in the context of generative AI development and use
• the expectations around complying with the accuracy principle
• the expectations in relation to complying with data subject rights.

The first chapter focuses on the lawful basis for web scraping to train generative AI models. Feedback is invited by 1 March 2024.

Call for evidence on GDPR

The EC has published a call for evidence on the application of the GDPR which closes on 8 February. As reported last week, the EDPB has completed its analysis, concluding the GDPR did not need to be revisited.

Fines for unlawful marketing continue to flow

The ICO started 2024 as it no doubt means to continue. It fined HelloFresh £140,000 for sending over 79m spam emails and 1m spam texts in seven months. The ICO said the marketing messages were sent based on an insufficiently clear opt-in. The ICO also fined two home improvement companies a total of £250,000 for making illegal marketing calls including to people on the 'do not call' register.

News as at 11 January 2024

Data Act published in the Official Journal

The EU's Data Act was published in the Official Journal on 22 December 2023 and will come into force on 11 January 2024. It will apply broadly from 12 September 2025. The Data Act is intended to remove barriers to data sharing, give businesses access to data they contribute to creating, and individuals more control over all their data (not just personal data). It will empower users of connected devices to access and share data they generate with third parties as well as switch cloud and edge service providers. It also aims to protect SMEs by providing a harmonised framework in which data can be shared, equalising access to data across the single market.

While the Data Act will mostly apply from 12 September 2025, some elements will be introduced on other dates:

• Article 3(1) (requirement to design and manufacture connected products to make data and metadata easily accessible and machine-readable) will apply to connected products and related services which are placed on the market after 12 September 2026.
• Chapter III (obligations for data holders obliged to make data available pursuant to Union Law) will apply to obligations to make data available under Union law or national legislation adopted in accordance with Union law, which enters into force after 12 September 2025.
• Chapter IV (unfair contractual terms related to data access and use between enterprises) will apply to contracts concluded after 12 September 2025.
• Chapter IV will apply from 12 September 2027 to contracts concluded on or before 12 September 2025, provided they are of indefinite duration or due to expire at least 10 years from 11 January 2024.

ICO TRA guidance for US transfers

The UK's ICO has published guidance for organisations transferring personal data to the US under Article 46 transfer mechanisms (UK IDTA and UK BCRs). The guidance explains how the UK-US Data Bridge can help streamline the Transfer Risk Assessment process required when making transfers to the US under Article 46 (as opposed to under the Data Bridge itself).

The CNIL published a consultation on its draft guidance on transfer impact assessments more widely on 8 January.

ICO consultation on two sets of guidance for employers and recruiters

The ICO is consulting on two further sets of draft guidance for employers and recruiters which will form part of the ICO's overhauled guidance on employment information.  The draft guidance covers:

• Keeping employment records – covering lawful basis for retention, data retention periods, managing consents and data minimisation.
• Recruitment and selection – covering how to process candidate data fairly and lawfully, keeping records accurate, up to date and secure, and compliance with employee rights.

Google Maps introduces new controls over location history

In mid-December, Google Maps announced that it will give users greater control over their location histories.  Users will be able to review and more easily delete their location histories and searches via their location blue dot.  Auto-delete will be set to three months by default rather than 18 months.  New features will be rolled out over the course of 2024.

House of Commons Joint Committee report on ransomware

The House of Commons Joint Committee on the National Security Strategy has published the findings and subsequent recommendations following its call for evidence on ransomware.  The Committee's recommendations to the government include:

• looking at establishing a cross-sector regulator for cyber-resilience of critical national infrastructure
• providing funding to the National Cyber Security Centre (NCSC) to create a cyber-resilience programme for local authorities
• to work with the insurance industry to set up a re-insurance scheme for major cyber attacks
• to urgently reform the Computer Misuse Act
• to move responsibility for tackling ransomware to the Cabinet Office from the Home Office.

The government is required to respond to the report within two months.

British Library ransomware attack

The British Library fell victim to a ransomware attack by criminal group Rhysida at the end of October 2023.  Not only did it result in personal data records and other files being placed for sale on the dark web, it also incapacitated the British Library systems with the digital catalogue and some other services remaining unavailable.  While final costs are unconfirmed, reports suggest that the Library will use 40% of its cash reserves to resolve the issues.

Court of Appeal rules immigration exemption unlawful

On 11 December 2023, the Court of Appeal upheld the decision of the High Court that the immigration exemption in the Data Protection Act 2018 is unlawful.  It found that the requirement to balance rights should be included on the face of the legislation rather than in non-binding policy documents and that there was a failure to comply with Article 23(2)(g) of the UK GDPR.  The court has suspended the declaration of unlawfulness for three months from the date of the judgment to give the government time to amend the legislation.

ICO updated statement on DPDI Bill

The ICO has published an updated response to the DPDI Bill following its carry-over.  The ICO continues to support the Bill but notes that some of the latest amendments amount to new policy which has not been subject to wider public consultation or line-by-line scrutiny in the House of Commons.  While welcoming many of the changes, particularly regarding the ICO's own role and funding, the ICO does express reservations about the proportionality of new measures allowing the government to obtain certain information to help it detect benefit fraud.

UK government consultation on security standards for data centres

The government launched a consultation in mid-December on protecting and enhancing the security and resilience of UK data infrastructure, particularly data centres and cloud service providers.  There are concerns that the UK is not adequately protected against cyber attacks, or from risks presented by natural hazards such as flooding or other extreme weather.

The government proposes that organisations operating third party data centres, in particular those implemented to provide colocation and co-hosting data services, should be required to undertake or comply with the:

• registration and information requirement provisions with the designated regulator
• security and resilience measures
• standards and assurance testing
• incident reporting
• creation of a regulatory function to manage and enforce the new framework.

The consultation closes on 22 February 2024.

EU Cybersecurity Regulation to be published in the Official Journal

The Cybersecurity Regulation which sets out common cyber security standards at the institutions, bodies, offices and agencies of the EU, has passed its final hurdle following its adoption by the Council of the EU, and will now be published in the Official Journal.  The Regulation puts in place a governance and risk management framework and extends the remit of the Computer Emergency Response Team for the EU institutions.  It creates a minimum set of information security rules and standards.

ECJ ruling on controller liability for third-party cyber attacks

The ECJ has ruled in a reference from Bulgaria on issues around controller liability for third-party cyber attacks and compensation for fear of misuse of personal data.  The ECJ held that:

• the mere fact of unauthorised access to data is not, in itself, evidence that a controller has failed to take appropriate technical and organisational measures to protect the data.  This must be assessed by the national courts on a case by case basis
• the controller must be able to demonstrate that its security measures are appropriate in accordance with s32 requirements and the principle of accountability.  An expert report will not necessarily be sufficient
• Article 82 means that a controller may have to compensate data subjects who have suffered damage as a result of unauthorised access to or disclosure of their personal data unless the controller can prove it is not responsible for the damage
• fear of potential misuse of data by third parties as a result of a data breach can constitute non-material damage for the purposes of Article 82 GDPR.

The Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 now in force

The Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 came into force on 31 December 2023.  They revoke and replace the definition of "Fundamental rights and freedoms" in the UK GDPR and DPA 18 to take account of the fact that the UK is no longer subject to the EU Charter on Fundamental Rights.

Google settles US privacy class action

Google has reportedly agreed to pay USD 5bn to settle a class action lawsuit centred on the allegations that it misled users into believing they weren't being tracked online while using incognito mode.  The settlement now has to be approved by a judge.

EasyPark Group reports hack to ICO

EasyPark Group, owner of RingGo and ParkMobile, reported to the ICO that it had suffered a data breach after hackers accessed their customer data.  Around 950 UK users were involved but the majority of those affected are based in Europe.

EDPB opinion letter responding to EC cookie pledge initiative

The EDPB has published an opinion letter adopted in December 2023 in response to a request by the EC on the EC's cookie pledge voluntary initiative.  The cookie pledge initiative was developed by the EC in response to concerns about 'cookie fatigue'.  The EDPB was asked to give an opinion on whether the EC's proposals would be in line with the GDPR and the ePrivacy Directive.

The EDPB notes that the principles would ensure users receive concrete information on how their personal data is processed and about the consequences of accepting different types of cookies.  Users would have greater control over their data as a result.  The principles also state that consent should not be asked for within a year of it being refused which, the EDPB says, would be an important step to reducing cookie fatigue.  It notes, however, that adherence to the cookie pledge principles would not necessarily mean an organisation had complied with the GDPR or the ePrivacy Directive and should not alter the competence of national data protection authorities.

The EDPB notes that it cannot give a blanket statement to the effect that offering a paid alternative to a service which involves tracking (as Meta is doing in the EU), would constitute valid consent.  The EDPB suggests the principles make clear that a case by case assessment is required under such circumstances in accordance with the ECJ judgement in Meta and others of 4 July 2023 (C-252/21, ECLI:EU:C:2023:537, paragraph 150.). 

References are made to various pieces of guidance around cookies and case law, including that legitimate interests is not a suitable lawful basis for cookies, and that an opportunity to 'reject all' non-necessary cookies should be given on the first level.

The EDPB takes issue with the suggestion in Principle F, that separate consent for cookies used to manage the advertising model selected by the consumer is not required.  The EDPB underlines that consents must be requested for specific well-defined purposes and purposes should not be combined.

As far as not asking consumers to accept cookies for a period of one year is concerned and the assertion that a cookie to record negative consent is a "necessary one", the EDPB says that it understands the scope of this to relate only to the recording of a user's refusal to or withdrawal of consent and recommends clarification. The EDPB also suggests a negative consent cookie should contain only generic information common to all users such as a flag or code, and points to the fact that gatekeepers subject to the Digital Markets Act already have to comply with rules on the frequency of asking for consent to cookies.

The EDPB supports the use of software settings to enable users to express choice but says caution is necessary when aiming to use software settings to express affirmative consent as a default 'yes' would not satisfy GDPR requirements.

All in all, the EDPB recommends a series of clarifications be made to the draft principles.

Separately, the ICO published its November 2023 letter sent to 100 companies informing them that their cookie banners might not be compliant with UK data protection law.  The letter has been published so other companies can understand how to address potential non-compliance.

EDPB contribution to the EC report on the application of the GDPR

The EDPB has adopted its contribution to the Article 97 report on the application of the GDPR.  The EDPB considers that the GDPR has been successful and does not need revisiting.  It highlights the need to adopt the currently draft Regulation dealing with cross-border enforcement of the GDPR and to reach more adequacy decisions.  It warns that trade agreements must not be used to circumvent data protection law and also highlights the need for better resources for national regulators.

News as at 12 December 2023

2023 data and cyber roundup

Look back on the main UK and EU-level developments in data and cyber security during 2023 in our 2023 roundup.  Our update is packed with useful links and helpful summaries to remind you about the year that (almost) was, and help you start 2024 on top of things.  You can access the full edition of Radar which also covers AI, tech, consumer protection, advertising, games and more here.

Provisional political agreement reached on EU AI Act

Provisional political agreement was reached on the AI Act on 8 December 2023 after lengthy and intense negotiations between the European Parliament, the Council of the EU and the European Commission.  The legislation continues to take a tiered approach with a ban on certain types of 'unacceptable risk' AI, and the most onerous provisions relating to high-risk systems. Read more.

ECJ rules on automated credit scoring and data retention

The ECJ has ruled on a reference from Germany that certain types of automated credit scoring and data retention practices breach GDPR rules on solely automated decision-making.  The ECJ says credit scoring must be regarded as an automated individual decision prohibited under the GDPR unless subject to an exception – something for the national courts to determine. The ECJ also said it is unlawful for private credit rating agencies to keep data regarding discharge from debts for longer than the period permitted in relation to the relevant public insolvency record.

EDPB publishes binding decision on EEA-wide ban on Meta conducting behavioural advertising

The EDPB has published its binding decision (taken earlier this autumn) which instructs the Irish Data Protection Commissioner to issue Meta with an EEA-wide ban on using tracking technologies for the purposes of behavioural advertising on the lawful basis of contractual necessity or legitimate interests.  The Irish DPC adopted its final decision on 10 November 2023.

EC Communication on common European mobility data space

The European Commission has adopted a Communication on the creation of a common European mobility data space to facilitate access, pooling and sharing of data from existing and future transport and mobility data sources.  The EMDS is also intended to help ensure a high level of cyber security in the sector.  The space is intended to be fully operational by the end of Q1 2028.

MoJ publishes five-year security plan

The UK's Ministry of Justice has published its Cyber Security Strategy 2023-2028.  This focuses on anticipated cyber threats relating to the MoJ and measures to combat those risks, including use of technology and skills training.  The strategy is intended to improve the resilience of critical MoJ services and to embed security by design and instil a culture of cyber security.

California Privacy Protection Agency proposes updating CCPA

The California Privacy Protection Agency is proposing updating the California Consumer Privacy Act regulations, potentially to increase fines and update provisions on dark patterns and data subject rights.  It has also published proposals for its planned data broker registry under the Delete Act.

News as at 6 December 2023

Provisional political agreement reached on EU Cyber Resilience Act

The European Parliament and Council reached agreement on the Cyber Resilience Act on 1 December 2023.  This will introduce mandatory cyber security requirements for all hardware and software throughout the product lifecycle, taking a risk-based approach.  Manufacturers will be required to implement security by design and provide support and updates to consumers for a period of time related to the anticipated lifespan of the product. They will also be subject to transparency and incident reporting requirements.  The CRA will now be formally adopted and will enter into force 20 days after publication in the Official Journal.  Manufacturers, importers and distributors of hardware and software products will then have 36 months to prepare for full implementation and 21 months in relation to  incident and vulnerability reporting obligations.

EC proposes extension of interim Regulation derogating from ePrivacy Directive

Pending agreement of the CSAM Regulation, the EC is proposing to extend its 2021 Regulation on a temporary derogation from certain provisions of the ePrivacy Directive to combat child sexual abuse online to 4 August 2024.  The Regulation enables the use by certain types of communications services of technology to process personal and other data to help detect, report and remove child sexual abuse material.

ICO investigation into 'text pests'

The ICO has published learnings from its investigation into 'text pests' – staff who use personal data of customers to contact them inappropriately.  The ICO says while the problem does occur, it has also found examples of good practice by businesses and cites some examples.  It has not found ongoing negligent behaviour from specific companies but has seen a good level of understanding on how to prevent the issue arising and what to do if it does.

UK and US global AI security by design guidelines

The UK's National Cyber Security Council (NCSC) has announced new voluntary global guidelines on secure AI system development. The guidelines were developed in association with the US and industry and have been endorsed by national agencies from 16 other countries including the G7.  The guidelines are intended to help AI system developers embed cyber security by design into all stages of the development phase but extend across the product lifecycle to cover secure deployment, operation and maintenance.  They are aimed primarily at providers of AI systems who are using models hosted by an organisation or are using APIs, but all stakeholders are urged to take them into account.

NOYB and BEUC take issue with Meta's new subscription model

The data privacy campaign group NOYB has filed a complaint with the Austrian data protection regulatory about Meta's new subscription model for ad-free services on its Facebook and Instagram platforms.  Meta has started rolling out its ad-free service to EU users and argues that those who prefer to use the free version are consenting to their personal data being used for behavioural advertising.  NOYB argues that this does not constitute valid GDPR consent and the subscription model amounts to a "privacy fee".

The Bureau Européen des Unions des Consommateurs (BEUC), has filed a complaint with the network of consumer protection authorities (CPC) around similar concerns from a consumer protection standpoint.  It claims that Meta's new model engages unfair commercial practices including due to allegations that:

• Meta is pushing consumers into making a choice they may not want to take by partially blocking its services until users have selected an option, creating a sense of urgency and pressure which is an aggressive practice.
• Consumers cannot make an informed choice due to misleading and incomplete information including the suggestion that the non-subscription model is free when consumers actually pay via their data. It's also unclear that there will still be processing of personal data with the subscription model even though it won't be used for targeted advertising.
• Meta inaccurately presents this new model as a choice. The high subscription fee is a deterrent to choosing that model and given the market power of Facebook and Instagram, users are reluctant to leave the services. This means they are likely to be pushed into accepting the free model with targeted advertising and do not have a real choice.

GDPR fines may only be imposed for intentional or negligent infringement, says ECJ

The ECJ has made its ruling on two references from Germany and Lithuania, the German reference relating to the long-running Deutsche Wohnen case,

The ruling clarifies a number of issues relating to the imposition of GDPR fines including that:

• there must be wrongful conduct – ie the GDPR infringement must have been committed intentionally or negligently
• where the controller is a legal person (in the context of Member State law), it is not necessary for the infringement to have been committed by its management body, or for that body to have had knowledge of the infringement.  A legal person is liable for infringements committed by its representatives, directors, managers and any other person acting in the course of the legal person's business and on its behalf.  In short, a company can be the recipient of a fine without the associated breach having to be attributed to a natural person
• a controller can be fined in respect of its processors' actions to the extent that the controller can be held responsible for them
• whether or not a controller is a joint controller is a matter of fact and does not require a formal arrangement between the entities, however, where there are joint controllers, there must be an arrangement between them allocating their responsibilities under the GDPR
• the calculation of the fine where the addressee is or forms part of an undertaking must be based on the concept of an "undertaking" under competition law and the maximum amount of the fine calculated on the basis of a percentage of the total worldwide annual turnover of the undertaking concerned as a whole in the preceding business year.

News as at 30 November 2023

Data Protection and Digital Information Bill reintroduced and amendments tabled

The Data Protection and Digital Information Bill was reintroduced to Parliament on 8 November.  During its passage through the Commons prior to its re-introduction, amendments were accepted in relation to clauses 1-7.  The government has now tabled 124 pages of further amendments for consideration at report stage which is set to take place on 29 November.  Among the amendments highlighted by the government are:

• New powers to require data from third parties (including banks and financial organisations) to help the UK government reduce benefit fraud
• A requirement on social media companies to keep any relevant personal data relating to a child who has died through suicide where that data could be used in subsequent investigations or inquests
• Changes to the retention of biometric data provisions to strengthen national security, with retention measures extended regarding non-UK citizens convicted of criminal offences or subject to an INTERPOL order.

The government describes the changes as "common sense" but some are likely to prove politically contentious. 

There are also proposals which depart further from the GDPR, including for example, one tabled by Labour MP Chris Bryant to amend the right to object to solely automated processing which has a legal or similarly significant effect, to a right where processing is "solely or partly" based on such processing.  Non-government tabled amendments are less likely to be accepted.

Data Act set to be published in January 2024

The EU's Data Act has cleared the European Parliament and Council. It is expected to be published in the Official Journal in early January 2024 and will apply 20 months after that.  It aims to facilitate data sharing, in particular, of industrial and business data as well as personal data, in order to help individuals and businesses leverage the value of the data they help generate, and level the data playing field

CMA response to government consultation on proposals for a smart data scheme in the UK telecoms market

DSIT is consulting on proposals to establish a smart data or open communications scheme in the UK telecoms market which would enable customers to request and obtain information relating to their services which could be shared with third parties with customer consent.  This would cover information about usage statistics, price and speed.  The CMA has published its response.  It is in favour of this type of scheme and provides input and learnings from other smart schemes.

NHS announces Federated Data Platform

The NHS has announced it will launch a Federated Data Platform from spring 2024, to join up information currently held in separate NHS systems.  The platform will bring together real time data such as the number of beds available, waiting lists, staff rosters and supply availability.  Somewhat controversially in certain quarters, the NHS has awarded the software contract to a group led by Palantir Technologies UK, but the NHS has underlined that neither they nor the other companies involved in supplying the software will have access to patient data.

News as at 23 November 2023

EDPB guidelines on Article 5(3) ePrivacy Directive

The EDPB has adopted provisional Guidelines on the technical scope of Article 5(3) of the e-Privacy Directive which will be finalised following a six-week consultation period. The guidelines are intended to clarify which technical operations, in particular new and emerging tracking techniques, are in scope of the Directive and provide greater legal certainty. The guidelines look at the key elements for the applicability of Article 5(3) and analyse the terminology used in more detail. They also include use cases to cover risk mitigation measures and solutions to ensure consent obligations are fulfilled.

Interestingly, the UK's ICO has also chosen this week to warn some of the UK's top websites that they face enforcement action if they do not make changes to their cookie notices and policies to bring them into compliance with the law.  The ICO warns that websites must make it as easy to reject tracking technologies for behavioural advertising purposes, as it is to accept them.  This is best achieved by including a 'Reject all' button next to the 'Accept all' one.  The ICO has written to 30 non-compliant leading websites giving them 30 days to make changes and will publish an update on this work in January 2024, which will include details of companies which have not addressed its concerns.

ICO consults on draft UK BCR Addendum

The UK's ICO is consulting on a draft Addendum to approved EU Binding Corporate Rules (BCRs). The Addendum will comprise the EU BCRs, an addendum extending their scope to include UK Restricted Transfers and which forms the UK legally binding instrument, and a UK BCR Summary which provides information to Relevant Data Subjects (and for Processor BCR, Third Party Exporters).

The UK BCR Addendum can be used in two ways:

• as a standard form which will automatically update if the ICO makes changes to its published UK BCR Addendum
• as a template or guidance which can be used and amended by a company and submitted to the ICO for review.

The Addendum is structured as an intra-group agreement but can be amended to be or become a joining agreement.  ICO authorisation is required in all cases for the Addendum to create a set of UK GDPR binding BCRs.

ICO draft guidance on transparency in the health and social care sectors

The ICO has published draft guidance on transparency in the health and social care sector for consultation. The guidance is aimed at anyone in health and social care who is involved in delivering transparency information to the public and aims to help them understand what data protection transparency means for their organisations, how to develop effective transparency material, how to provide transparency and privacy information to patients, service users and the public, and the factors to consider when assessing levels of transparency.  The consultation closes on 7 January 2024.

Provisional agreement reached on EU Regulation on data collection and sharing relating to short-term accommodation rental services

Provisional political agreement has been reached between the co-legislators on the EU's draft Regulation on data collection and sharing relating to short-term accommodation rental services and amending Regulation (EU) 2018/1724 establishing a single digital gateway to provide access to information to procedures and to assistance and problem-solving services. The aim of the Regulation is to harmonise and improve the framework for data generation by short-term rentals (STRs) across the EU and enhance transparency. This is partly as a result of the heavy burden placed on platforms for STRs and the multiple data requests they receive, especially where they operate cross-border. 

The Regulation will now be formally adopted and will then be published in the Official Journal. There will be a two-year implementation period.

International Data Transfers Expert Council report

The UK's International Data Transfers Expert Council was set up in January 2022 to advise the government on its data transfer policy. It has produced a report submitted for consideration to DSIT setting out its findings based on its work since it was founded. The report contains the council's independent recommendations to the government and international community on facilitating multilateral solutions for sustainable and scalable data transfers. It promotes a risk-based approach based on accountability, flexibility and scalability. The council also makes a series of short-, medium- and long-term recommendations as to how to achieve global consensus on trusted transfers.

ICO seeks to appeal FTT judgment on Clearview AI

The ICO is seeking leave to appeal the judgment of the First Tier Tribunal that held the ICO had incorrectly applied the UK GDPR in relation to its findings that Clearview AI had breached the UK GDPR. The Tribunal agreed with Clearview that the activities in question did not fall within the scope of the legislation. The ICO's view is that Clearview itself was not, as it contended, processing for foreign law enforcement purposes and should not, therefore, be shielded from enforcement under the UK legislation.

News as at 16 November 2023

EU Data Act nears completion

The European Parliament has adopted its first reading position on the Data Act following political agreement on the text reached in June 2023. The Council will now adopt the Data Act after which it will be published in the Official Journal and come into force 20 days later. It will apply 20 months after that.

Is the AI Act in trouble?

Euractiv has reported that negotiations on the AI Act have hit a potential roadblock as disagreements have arisen. While good progress had earlier been reported on classification of foundation model AI and biometric facial recognition technology, Euractiv suggested that France, Germany and Italy were moving to prevent tiered regulation (or potentially any regulation) of foundation models.  There are even reports that some Member States are now opposing the AI Act in its entirety on the basis that it is overregulating the technology.  The next trilogue in early December was intended to be the final one but if agreement is not reached, the Spanish presidency is unlikely to do anything further on the file, passing it to the incoming Belgian presidency. There will then be only a few weeks before the European Parliament is dissolved pending elections in June 2024.

Data initiatives in King's Speech

The Data Protection and Digital Information Bill (2) has been held over and will be re-introduced (without the no.2). 

More controversially, the government announced the Investigatory Powers (Amendment) Bill.  The Bill will make a small number of targeted changes to the Investigatory Powers Act 2016 including:

• changes to the bulk personal dataset regime to improve the ability of the intelligence services to respond with greater agility and speed to existing and emerging threats to national security
• expand the oversight regime to support the Investigatory Powers Commissioner in carrying out their role with more functions put on a statutory footing
• improve the notices regime to help the UK anticipate the risk to public safety posed by technology rolled out by multinationals which precludes lawful access to data
• ensure that Internet Connection Records can be used effectively to detect and target the most serious types of criminal activity and national security threats without a disproportionate increase in levels of intrusion
• increase the resilience of the warranty authorisation process to allow greater operational agility for the intelligence services and National Crime agency.

EU Cyber Resilience Act progress

The second trilogue on the Cyber Resilience Act reportedly resulted in progress but revealed two main outstanding areas of disagreement between the co-legislators.  There is disagreement over whether security incidents should be reported to ENISA or Member State CSIRTS and in which order.  The definition of what constitutes a critical product requiring conformity assessment to be done by certified auditors is also being debated.

ICO and EDPS issue MoU on cooperation in the application of data protection laws

The ICO and the EDPS have signed an MoU establishing a framework for cooperation between them on the application of data protection law.  The MoU sets out what information might be shared with the goal of improving best practice and supporting regulatory efforts as well as cooperating on projects of mutual interest.

Meta's subscription model being reviewed by EU DPAs

The Norwegian data protection regulator has confirmed it is taking part in a European-level assessment of Meta's new subscription ad-free model. Some regulators have expressed doubts about the new model, concerned that the choice between payment and non-payment, does not equate to GDPR-level consent to behavioural advertising. 

Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 laid before Parliament

These Regulations revoke and replace Article 4(28) of the UK GDPR and s205(1A) of the DPA and other provisions which relate to the meaning of references to fundamental rights and freedoms in data protection legislation.  This is in order to make the definition of rights and freedoms relate to the European Convention on Human Rights within the meaning of the Human Rights Act 1988, rather than to refer to the EU Charter of fundamental rights.  References relating to the right to data protection are also being removed as this right is not expressly included in the Convention.  The Regulations will come into force on 31 December 2023.

News as at 8 November 2023

AI Safety Summit and related developments

The AI Safety Summit hosted by the UK at Bletchley Park took place last week.  Notable developments include:

• the signing of the 'Bletchley Park Declaration' in which representatives of 28 governments including the EU, UK, US and China, committed to working together on shared AI safety standards
• the announcement by the US that it will set up an AI Safety Institute
• a non-binding commitment by tech firms including Meta, DeepMind, OpenAI and Google to allow regulators to review their products before placing them on the market
• support for an international expert body on AI to be set up
• a commitment to further summits with the next one to be hosted in France.

We discuss the summit in more detail here.

US Executive Order and AI Safety Institute

The full text of President Biden's Executive Order on Safe Secure and Trustworthy Development and use of AI (see last week's news) has now been published.  Vice President Harris also announced a range of commitments and policy developments at the summit, including the establishment of an AI Safety Institute intended to operationalise NIST's AI risk management framework, creating guidelines, tools, benchmarks and best practice recommendations to identify and mitigate AI risk.  It will also enable information sharing and research, including with the UK's planned AI Safety Institute.  The VP also announced draft policy guidance on US government use of AI, and the US made a political declaration on the responsible military use of AI and autonomy.

UN sets up global AI advisory board

The UN announced the launch of a high-level advisory body on AI.  This is a multi-stakeholder body intended to undertake analysis and make recommendations for international governance of AI.  The 38 participating experts are made up of government, private sector and civil society stakeholders.  They will consult widely to "bridge perspectives across stakeholder groups and networks".

Other initiatives

These include:

• The Partnership on AI consultation on its guidelines on safe foundation model deployment
• The Global Privacy Assembly resolution (sponsored by the EDPS) on generative AI systems, committing to ensuring the application of enforcement of data protection and privacy legislation in the context of generative AI, working cooperatively, and encouraging stakeholders to take privacy and data protection into account when developing and using generative AI systems.

AG Opinion on theft of personal data and identity theft/fraud

Advocate General Collins has given an opinion in a joined reference from Germany on the relationship between the theft of personal data and identity theft or fraud.  The AG opined that theft of personal data does not, in itself, constitute identity theft or fraud.  The theft may give rise to a right to compensation for non-material damage where there has subsequently been identity fraud as a result of the theft of the data, but the right to compensation does not depend on subsequent identity theft arising from the theft of the data.  Compensation for non-material damage must be assessed on a case by case basis taking all relevant circumstances into account. 

Latombe to appeal EU General Court decision on EU-US DPF

French MP Philippe Latombe is appealing the EU General Court's dismissal of his action to annul the EU-US Data Privacy Framework.  Mr Latombe, who sits on the CNIL, is bringing the action in his personal capacity.

ICO toolkit on sharing personal data with law enforcement

The ICO has published a toolkit on data sharing with law enforcement.  This is intended to help SMEs and sits alongside existing more detailed guidance on the issue and the ICO's code of practice on data sharing.

News as at 1 November 2023

Online Safety Act receives Royal Assent

The Online Safety Act (OSA) received Royal Assent on 26 October 2023.  Ofcom's powers have come in immediately but most of the rest of the provisions will be brought into force in two months' time. The OSA focuses on user-generated content (subject to limited exceptions) and applies to user-to-user services and search services as well as pornographic content services. The OSA regulates illegal content and certain specified types of harmful content, in particular, for services likely to be accessed by children, content that is harmful to them.  Terrorism and Child Sexual Exploitation and Abuse (CSEA) content are a particular focus, but a range of harmful content is also covered in specified circumstances. In relation to the most harmful type of content likely to be accessed by children, age verification/estimation must be used (subject to a limited exception).

The OSA applies to services which have links to the UK. Various safety duties apply to different categories of content. In order to establish what services need to do, they have to carry out a variety of risk assessments against Ofcom risk profiles.  Service providers also have transparency requirements and obligations to provide redress. There are wider duties to protect freedom of expression and the right to privacy including personal data. 

Category 1 services (to be determined, but likely to be the larger social media services) and Category 2A and 2B services have additional duties.  In particular, Category 1 services have expanded duties to protect fundamental freedoms including content of democratic importance and news publisher content.  They also have to comply with adult user empowerment provisions which require them to give adults users options to prevent them encountering certain types of harmful content.

Ofcom is the regulator of the OSA.  It has extensive powers and duties. It is responsible for producing initial risk profiles and a raft of codes of practice and guidance which will inform how service providers are supposed to comply with the OSA, as well as a range of reports on the impact and operation of the OSA.  The process of introducing these (as set out in Ofcom's revised approach to implementing the OSA) is likely to take at least three years with everything subject to consultation and much of it dependent on the introduction of secondary legislation.  Ultimately, Ofcom will have a range of enforcement powers including the ability to fine organisations the higher of up to £18m or 10% of global annual turnover.  The OSA is very wide-ranging and Ofcom estimates that around 100,000 online services could be in scope.

Leadup to AI Safety summit – UK, US and G7 developments

UK

The Prime Minister announced the world's first AI Safety Institute to advance knowledge of AI safety, evaluate and test new AI and explore a range of risks.  In his speech, the Prime Minister also re-iterated the UK's approach to regulating AI set out in its AI White Paper.  DSIT published a discussion paper to support the Summit and published a report evaluating the six-month pilot of the UK's AI Standards Hub.  In addition, leading frontier AI firms responded to the government's request to outline their safety policies.

USA

President Biden has issued an Executive Order on safe, secure and trustworthy AI (EO). The EO requires:

• developers of the most powerful AI systems to share their safety test results and other critical information with the US government
• the National Institute of Standards and Technology to develop standards, tools and tests to help ensure AI systems are safe, secure and trustworthy.  The Department of Homeland Security will apply those standards to critical infrastructure sectors and establish the AI Safety and Security Board.  The Departments of Energy and Homeland Security will also address AI systems' threats to critical infrastructure as well as chemical, biological, radiological, nuclear and cybersecurity risks
• development of strong new standards for biological synthesis screening to protect against the risks of using AI to engineer dangerous biological materials
• protection of Americans from AI-enabled fraud and deception by establishing standards and best practices for detecting AI-generated content and authenticating official content
• an advanced cybersecurity program to develop AI tools to find and fix vulnerabilities in critical software
• development of a National Security Memorandum to direct further actions on AI and security

The EO also calls on Congress to pass bipartisan data privacy legislation and directs the following actions:

• prioritising federal support for accelerating the development and use of privacy-preserving techniques
• strengthening privacy-preserving research and technologies
• evaluating how agencies collect and use commercially available information and strengthening guidance for federal agencies to account for AI risks
• developing guidelines for federal agencies to evaluate the effectiveness of privacy-preserving techniques including those used in AI systems.

Further directions cover the areas of:

• advancing equity and civil rights
• consumer, patient and student rights
• supporting workers
• promoting innovation and competition
• advancing American leadership abroad
• ensuring responsible and effective government use of AI.

G7

The G7 leaders have agreed International Guiding Principles for all actors in the AI ecosystem and an International Code of Conduct for developers of advanced AI systems as part of the Hiroshima AI process. 

The guiding principles document is intended to be a 'living document' building on the existing OECD AI principles. It currently sets out 11 non-exhaustive principles to help "seize the benefits and address the risks and challenges brought by AI". They are intended to apply to all AI actors when and as applicable, to cover design, development, deployment and use of advanced AI systems. They include commitments to mitigate risks and misuse, and identify vulnerabilities, to encourage responsible information sharing, reporting of incidents, investment in security and a creation of a labelling system to enable users to identify AI-generated content.

The G7 suggests organisations follow the voluntary Code of Conduct which sets out a list of actions to help maximise benefits and minimise risks of advanced AI systems with actions for all stages of the AI lifecycle.

Latest on EU AI Act and EDPS Opinion

The latest round of trilogues on the EU's draft AI Act was held on 24 October 2023.  Agreement was reportedly reached on provisions for classifying high-risk AI applications and on general guidance for using enhanced foundation models.  The next round of trilogues is planned for 6 December and may cover prohibitions and law enforcement use which were not resolved last week. 

In the meantime, the EDPS has published an Opinion on the AI Act setting out its final recommendations as the Act nears completion.  Much of the Opinion relates to the EDPS's role as the notified body and market surveillance authority as well as competent authority for the supervision of the provision or use of AI systems in respect to which it asks for a number of clarifications. The EDPS also calls for privacy protections to be at the forefront of the legislation, and for  a right for individuals to lodge complaints regarding the impact of AI systems on them with the EDPS explicitly recognised as competent to receive complaints alongside DPAs who, the EDPS recommends, should be designated as the national supervisory authorities under the AI Act to cooperate with authorities that have specific expertise in deploying AI systems.

DSIT initial conclusions from evaluation of IDTA and EU SCC Addendum

The Department for Science, Innovation and Technology, has published an executive summary and its initial conclusions from the first phase of an evaluation of the International Data Transfer Agreement (ITDA) and the Addendum to the EU SCCs.  These transfer mechanisms replaced the original GDPR Standard Contractual Clauses as a lawful mechanism under which to transfer personal data to third countries.

The evaluation concluded there was a considerable difference between awareness and implementation of the transfer mechanisms of larger versus smaller organisations.  Smaller organisations tended to be less proactively engaged with data protection issues and unaware of the IDTA.

Possible action points identified include awareness raising, implementation monitoring and evaluation of the wider impacts of uptake.

ICO blog on how data protection law can help retailers tackle shoplifting

The ICO has published a short blog on how data protection law can be used to share criminal offence data to prevent or detect crime (particularly shoplifting) while complying with principles of necessity and proportionality. The blog contains examples of what may or may not be appropriate and looks to be targeted at smaller retailers.  It coincides with the publication of the government's Action Plan to tackle Shoplifting.

Explanatory memorandum to journalism code of practice laid before Parliament

The Department for Science, Innovation and Technology has published an explanatory memorandum to the Data Protection and Journalism Code of Practice. It sets out the procedure under which the code was developed and for it gaining statutory force.  The draft code was presented to the Secretary of State in July 2023.  Once it has been laid and completed parliamentary procedure (40 days for sifting), it will gain statutory status at which point it can be relied upon in legal proceedings, and will carry more weight than 'guidance'.

TikTok given leave to appeal GDPR fine

The Irish High Court has granted TikTok Technology Ltd leave to appeal the Irish Data Protection Commission's decision to fine it €345m for breaches of the GDPR. TikTok is also appealing the EDPB's decision which the Irish DPC was required to follow.

EDPB extends Norway's ban on Meta's behavioural advertising

The EDPB has agreed with the Norwegian Data Protection Authority and directed the Irish Data Protection Commissioner to permanently ban Meta from carrying out behavioural advertising in the EU on its Facebook and Instagram platforms based on legitimate interests. In July 2023, Norway imposed a ban on Meta from carrying out behavioural advertising in Norway using tracking technology on the grounds of legitimate interests, following an ECJ ruling which said this was unlawful.  The Norwegian DPA referred the matter to the EDPB, asking it to extend the ban to the rest of the EU until such time as Meta moves to a consent model for behavioural advertising.

Meta has already announced it will move to offering users a paid-for ad-free subscription model as an alternative, arguing that it will then be able to rely on consent as the lawful basis for ad targeting in its free model.  The Norwegian DPA said "The Danish Data Protection Authority also strongly doubts whether Meta's proposed consent solution, which means that those who do not consent to behaviour-based marketing must pay a fee, will be legal".

ICO toolkit on sharing personal data with law enforcement

The ICO has published a toolkit on data sharing with law enforcement. This is intended to help SMEs and sits alongside existing more detailed guidance on the issue and the ICO's code of practice on data sharing.

News as at 25 October 2023

ICO has broad discretion to resolve complaints, says Court of Appeal

The Court of Appeal has upheld the High Court's ruling that the UK's ICO is not required to reach a definitive decision on the merits of individual complaints but has broad discretion.  The CA said the ICO is only required to handle and investigate complaints to an appropriate extent under Article 57(1)(f) UK GDPR.  The ICO welcomed the CA's ruling that it had acted lawfully over a SAR complaint and its confirmation that the ICO has broad discretion in deciding the extent to which it investigates each complaint and is entitled to reach and express a view on it without necessarily determining whether or not there has been an infringement.

EDPB 2024 coordinated enforcement action announced

The EDPB has announced that its 2024 coordinated enforcement action will focus on the way controllers implement the right of access.  Further work will now be carried out to specify the details and the action will be launched in 2024.

Clearview AI wins appeal against ICO fine

Clearview AI was fined £7.5m by the UK's ICO in May 2022 in relation to its scraping of the images of UK individuals to power its facial recognition database.  The First Tier Tribunal has now found that the ICO had no jurisdiction to issue its enforcement and penalty notices on the basis that the UK GDPR (and GDPR) did not apply to the processing at issue.  Clearview AI succeeded because it successfully argued it is a foreign company providing its service to foreign clients using foreign IP addresses, and in support of the public interest activities of foreign governments and government agencies, in particular in relation to their national security and criminal law enforcement functions, such functions being targeted at behaviour within their jurisdiction and outside the UK.  It will be interesting to see whether Clearview AI has similar success against any appeals relating to fines by EU supervisory authorities.

Draft Regulation for EU Common Criteria-based cybersecurity certification scheme

The EC has published a draft implementing Regulation setting out rules for the application of the Cybersecurity Act for the European Common Criteria-based cybersecurity certification scheme (EUCC).  Once adopted, it will apply to all information and communications technologies which are submitted for certification under the scheme and is therefore relevant to ICT organisations operating in the EU. 

EDPB and EDPS Joint Opinion on the proposed Regulation on the digital Euro

The EDPB and EDPS have published a Joint Opinion on the proposed Regulation on the digital Euro.  They are broadly supportive but make a number of recommendations to better ensure data protection standards.  These include recommendations to:

• clarify the processing of single access point verification and whether the single access point is necessary and proportionate
• consider whether the fraud detection and prevention mechanism is necessary in its current form and whether it could be less intrusive
• introduce a privacy threshold for online transactions under which neither offline nor online low value transactions are traced for anti-money laundering or combatting financing of terrorism purposes
• further clarify the data protection responsibilities of the ECB and the PSPs.

DHSC updates access policy for Secure Data Environments

The DHSC has published the final version of its data access policy update setting out its policy decisions regarding Secure Data Environments (SDEs) for secondary uses of NHS data.  A consultation outcome document explains the changes made in response to its consultation. These include:

• clarifying that SDEs will comply with the national data opt-out and adhere to the principles of NHS England's Value Sharing Framework for NHS data partnerships
• further emphasising the importance of transparency
• including a framework setting out how exceptions to the data access policy will be made
• adding descriptions of key terms.

The DHSC has committed to providing more information in several areas including on what data will be made available.

News as at 12 October 2023

EU General Court rejects attempt to suspend EU-US DPF

The EU General Court has rejected an application for by French MEP Philippe Latombe for interim relief to suspend the execution of the EU adequacy decision in favour of the EU-US Data Privacy Framework.  The Court said the applicant had failed to prove the required individual or collective harm caused by the decision.

Genetic data of 1m people of Jewish Ashkenazi descent put on dark web

23andMe has reported a leak which reportedly led to the data of 1m people of Jewish Ashkenazi descent being placed on the dark web.  Included data is first and last name, sex, and the genetic evaluation of their origins.  23andMe says it doesn't believe it was hacked but that the attackers were able to obtain user logins by scraping already compromised credentials.  It is thought other lists may also have been compiled, for example of those with Chinese origin.

CNIL guidance on AI data protection compliance

The French data protection regulator, the CNIL, has published a series of guidelines for using AI in a data protection compliant way.  They cover a range of topics including selection of lawful basis, data protection by design and when to carry out a DPIA.

Equifax fined by FCA over 2017 data breach

The UK's Financial Conduct Authority (FCA) has fined Equifax Ltd. £11m for failing to manage and monitor the security of UK consumer data it had outsourced to its US parent company. The 2017 Equifax Inc. data breach compromised the personal data of approximately 13.9m UK individuals.  The FCA said the data breach was "entirely preventable".  Equifax Ltd. had failed to treat its parent company as an outsourcer and consequently failed to put protections in place for the data.  There were known weaknesses in Equifax Inc.'s data security systems which Equifax Ltd. did not address. Equifax Ltd. did not find out about the breach until six weeks after it had happened and five minutes before it was publicly announced and consequently was not prepared to deal with customer complaints.  The FCA also said that public statements were misleading, customer complaints were not properly dealt with and notifications were not given as required.  The final fine was discounted by 30% after Equifax agreed to resolve the matter.  Equifax also received a 15% mitigation credit.  The ICO fined Equifax £500,000 in relation to the same data breach in 2018.

TikTok appeals EDPB decision

TikTok has filed an appeal against the EDPB Article 65 decision which the Irish Data Protection Commissioner was required to take into account when deciding to fine it for breach of data protection law.  It is appealing the Irish DPC's decision separately in the Irish High Court.

OpenAI introduces age verification for ChatGPT in Italy

OpenAI has reportedly introduced age verification measures for Italian users of ChatGPT in response to directions from the Italian data protection supervisory authority, the Garante.  The Garante blocked ChatGPT in March and then agreed a number of required measures with OpenAI.  These were originally required by the end of September, a deadline subsequently extended by 60 days.  The new age verification tool allows users either to use AI-powered facial analysis to estimate the age of the user, or to upload documents together with a photo, or to use a digital identity product.  If the user is aged 13-17, a parent or guardian is supposed to go through the process.  Full details are not yet available.

EDPS Opinion on proposed AI liability Directives

The EDPS has published an Opinion on the European Commission's draft AI Liability Directive, and the draft Directive on adapting noncontractual civil liability rules to AI (AILD).  The EDPS recommends:

• Ensuring individuals who have suffered damages caused by AI receive a similar level of protection regardless of who is using the system (eg whether private or public sector)
• Procedural safeguards under Articles 3 and 4 of the AILD should apply whatever the risk classification of the AI model
• Providers and users should be explicitly required to disclose information pursuant to Article 3 of the AILD in an intelligible and generally understood format
• The AILD proposal should be explicitly without prejudice to data protection law
• Considering additional measures to further alleviate the burden of proof.

ICO looks for 2024 Regulatory Sandbox participants

The ICO has put out a call for applications for its Regulatory Sandbox programme for 2024.  Its current area of focus is on biometric processing, emerging technologies, and exceptional innovations.  Expressions of interest will be assessed on the basis of whether the product or service being developed is innovative and could provide a demonstrable benefit to the public.  Applications must be submitted by 31 December. 

Updated code of practice on minimum security and privacy requirements for app store operators and app developers

As part of the National Cyber Strategy and following a public consultation, the government has published an updated version of its code of practice which sets out the minimum security and privacy requirements for all app store operators and app developers.  The original version of the code was published in December 2022 on a voluntary basis with a nine-month implementation period for operators and developers.  In May 2023, DSIT consulted on progress and concluded that additional clarifications were needed for some provisions. As a result, the implementation period is being extended by six months to March 2024. DSIT will then review adherence levels and make recommendations to the Secretary of State on next steps.  The voluntary code of practice is intended to supplement but not to replace pre-existing legal obligations and is tailored to data breaches in the context of app stores.

California's 'Delete Act' signed into law

California's Governor has signed the so-called Delete Act into law.  It requires data brokers to register with the California Privacy Protection Agency which will be required to develop a one-stop-shop mechanism to allow consumers to request deletion and tracking of their personal data.  This will need to be set up by 1 January 2026 and from 1 August 2026, data brokers will be required to process deletion requests within 45 days.  Some 500 data brokers are thought to be operating in California.

News as at 12 October 2023

ICO issues Snap with preliminary enforcement notice regarding AI chatbot

The ICO has issued Snap Inc and Snap Group Limited, with a preliminary enforcement notice over potential failure to properly assess the risks to privacy posed by the AI Chatbot 'My AI' deployed on Snapchat.  My AI is powered by ChatGPT.  It was rolled out to Snapchat+ users in February 2023, and then to the wider Snapchat user base in April 2023. 

The ICO provisionally finds that Snap failed to adequately identify and assess the risks to several million My AI users including children aged 13-17.  It found that the risk assessment carried out before launch did not adequately assess the data protection risks posed by the generative AI technology, particularly to children.  The preliminary notice sets out steps the ICO may require if a final enforcement notice is adopted.  These measures are subject to Snap's representations in response to the preliminary notice.  They may, however, require Snap to stop processing data in connection with My AI and to stop offering it to users pending an adequate DPIA.

The ICO will now consider representations by Snap pending a final decision and no conclusion can be drawn as to whether Snap has breached data protection law or whether a final enforcement notice will eventually be issued.

ICO publishes draft guidance on penalty notices and fines for consultation

The ICO has published draft Data Protection Fining Guidance for consultation. The guidance is intended to replace parts of the ICO's Regulatory Action Policy (RAP) on its approach to fining. It sets out the legal framework underpinning the ICO's powers to impose fines, the circumstances in which the ICO would consider it appropriate to issue a penalty notice, as well as factors which will influence how the fine is calculated.

The RAP will remain applicable to:

• when the ICO will allow oral representations following a notice of intent to issue a penalty notice
• how the ICO will proceed if the fine is not paid
• guidance on fixed fines for failure to pay the data protection fee.

What is an "undertaking"?

The ICO focuses on what constitutes an "undertaking" for the purposes of issuing fines and proposes that where a controller or processor forms part of an undertaking (for example, as a subsidiary), maximum fines will be based on turnover of the undertaking as a whole. While the UK GDPR and Data Protection Act 2018 (DPA) do not define what constitutes an "undertaking" in the context of imposing fines, the ICO says the recitals to the UK GDPR are clear that the term should be understood in accordance with UK competition law. As such, an undertaking does not, in this context, correspond with the commonly understood notion of a legal entity or company under eg English commercial or tax law, but may comprise one or more legal or natural persons forming a 'single economic unit' rather than a single entity characterised as having a legal personality.

Whether or not an individual controller or processor forms part of a wider undertaking depends on whether it can act autonomously or whether another legal or natural person, for example, a parent company, has decisive influence over it and therefore forms part of the same economic unit. The ICO will consider all relevant factors but there will be a rebuttable presumption of decisive influence where a parent company owns all or nearly all the voting shares in a subsidiary.

Linked processing operations

The ICO also explains the approach to fines where there is more than one infringement by a controller or processor ie where one infringement arises from the same or linked processing operations. This will be decided on a case-by-case basis. Where processing operations or sets of operations form part of the same overall conduct, the controller or processor may infringe more than one provision of applicable law. The ICO will consider all relevant circumstances but relevant factors are likely to include the extent to which the processing operations or set of operations are:

• aimed at achieving a particular purpose or form part of the same means of processing determined by a controller
• related to the same, or a similar group of data subjects, and
• carried out concurrently or sequentially or otherwise in a way that is proximate in time.

Where the ICO finds overall conduct has infringed more than one provision, the ICO will identify the statutory maximum applicable to the most serious individual infringement. The ICO may decide to impose a fine for each infringement arising from the same or linked processing operations provided the sum of those penalties does not exceed the statutory maximum for the gravest infringement.

Conversely, an investigation may identify that different forms of conduct by a controller or processor have infringed separate provisions of the UK GDPR or DPA and will not be sufficiently linked. In such cases, the ICO may decide to include the separate infringements in the same penalty notice, however each infringement would be subject to the relevant statutory maximum amount and might therefore exceed the maximum amount for the gravest single infringement.

The consultation is open until 27 November 2023.

German Bundeskartellamt decision on Google's alleged anti-competitive data processing practices

On 5 October, the German Federal Cartel Office (Bundeskartellamt) issued its decision on the antitrust investigation of Google for alleged anti-competitive data processing practices, accepting the commitments made by the company and closing the investigation. In particular, the commitments require Google to offer users the opportunity to give their voluntary, specific, informed and unambiguous consent to the processing of their data across different services or to combining their data with third party data. Google must provide users with appropriate choices when combining data. The design of the user choice architecture should avoid manipulative direction to accepting cross-service data processing and prevent the use of dark patterns. Where Google's data processing terms explicitly state that certain data will not be processed across services, there is no obligation to provide user options. The Bundeskartellamt stated that the commitments will remain in force until 30 September 2029.

News as at 5 October 2023

Norwegian DPA refers Meta case to EDPB

The Norwegian DPA has requested a binding decision from the EDPB in the Meta case.  Its decision banning Meta from carrying out behavioural advertising in Norway on the basis of legitimate interests expires on 3 November.  It is asking the EDPB for a binding decision to make the ban permanent in Norway and to extend it to the whole of the EU/EEA. Meta does not believe the Norwegian DPA has a legal basis to request such a decision from the EDPB and also underlines that it is planning to move to using consent as the lawful basis for behavioural advertising. The Norwegian DPA says that as there is no clear date for when a consent mechanism may be in place, it needs to make a referral.  The EDPB will now assess the completeness of the file.  Assuming this is satisfied, the decision process will begin. 

In the meantime, however, Meta is reportedly progressing in discussions with the Irish Data Protection Commissioner about its plans to move to a subscription model for ad-free services on its Instagram and Facebook platforms.  It is proposing around €19 per month to access both services ad-free on smartphones and slightly less to access them on desktop.  It may be that if it commits to this within a sufficiently quick fixed timeframe, the EDPB will hold fire on an EU-wide ban, even if Meta can't meet the November deadline.

Irish DPC publishes case studies

The Irish Data Protection Commissioner is the lead EU data protection regulator for some of the largest online companies in the world.  As such, it has experienced a heavy workload and been at the forefront of some of the most high profile GDPR enforcement actions.  Lately, it has seen some of its most significant decisions referred to the EDPB under the consistency and cooperation procedure and has faced criticism from some quarters for not acting sufficiently quickly and forcefully.  It has now published a series of case studies from 2018-2023.  The 110 page document does not, however, focus exclusively, or even mainly, on the 'big tech' decisions but spans the whole of the GDPR and summarises a range of cases, often on a no-name basis.

Data Governance Act now applies

The Data Governance Act (DGA) came into force in June 2022 with a 15-month grace period.  Its application began on 24 September 2023.  The DGA seeks to increase trust in data sharing, particularly in the public sector, to strengthen mechanisms to increase data availability and overcome technical obstacles to the reuse of data.  The DGA will also support the set up and development of common European data spaces.  The DGA sits alongside the Data Act and sets up frameworks for data sharing.  Affected organisations must now comply.

Clearview AI reaches US settlement

Clearview AI which has been the subject of regulatory enforcement action across the EU and UK in relation to its unlawful scraping of personal data to create an image database, has reportedly settled a class-action lawsuit in the US in relation to the same issues.  The class action alleged breach of the Illinois Biometric Information Privacy Act and the privacy laws of California, New York and Virginia. The details of the settlement have not been made public.

ICO warns organisations against data breaches which put abuse victims' lives at risk

The ICO has called on organisations to handle personal information properly to avoid putting victims of domestic abuse at further risk.  The call comes after the ICO says it has reprimanded seven organisations over the last 14 months, for data beaches affecting victims of domestic abuse.  The ICO says organisations should train staff and put appropriate systems in place to avoid such breaches.

EDPB guidelines on data transfers for law enforcement purposes

The EDPB has adopted Guidelines on data transfers subject to appropriate safeguards under the Law Enforcement Directive.  The Guidelines relate to Article 37 of the Directive which deals with transfers of personal data by competent authorities or international organisations competent in the field of law enforcement.  The Guidelines look, in particular, at the legal standard for appropriate safeguards to protect the data.

Cyber Essentials scheme updates public procurement policy note

The government has updated PPN 09/14 which sets out actions for central government departments, their executive agencies, non-departmental public bodies and NHS bodies to take in relation to cyber security in certain procurement contracts.  Other public bodies are encouraged to follow the approach.  In-scope organisations are required to implement PPN 09/23 within three months of its publication.

Updated AG Opinion on Quadrature du Net case

In October 2022, AG Szpunar delivered an Opinion in the case La Quadrature du Net and others v Premier Ministère de la Culture. The AG said that Article 15(1) of the ePrivacy Directive read in light of the Charter of Fundamental Rights, does not preclude national legislation that allows for the general and indiscriminate retention of IP addresses for a period of time limited to what is strictly necessary for preventing, investigating, detecting and prosecuting online criminal offences, provided that this data is the only means of identifying the person to whom that address was assigned at the time of the commission of the infringement. This can be done without prior review by a court or independent body if, as in this case, the linking is at a given point in time and is limited to what is strictly necessary to achieve the objective.

The AG has now refreshed his Opinion following the reopening of the case and he expands on his original reasoning and confirms in addition to the above that:

• Article 15(1) of the ePrivacy Directive read in light of the Charter, does not preclude an administrative authority responsible for protecting copyright against infringements of those rights committed on the internet from obtaining access to such addresses and data where it has been lawfully retained.
• The IP address, the civil identity of the person having a right of internet access and the information relating to the work in question do not make it possible to draw precise conclusions about the private life of the person presumed to have infringed copyright.

ICO publishes guidance on monitoring of workers by employers

The UK's Information Commissioner's Office has published its final guidance on worker monitoring to help employers comply with data protection law if they wish to monitor their workers. This is aimed at both public and private sector employers and sets out how to conduct monitoring fairly and lawfully. It also includes good practice recommendations to help build trust between employers and workers.

Unsurprisingly, the ICO highlights the importance of transparency and respect for privacy, underlining that any monitoring must be necessary, proportionate and respect the rights of workers.  

The guidance focuses on different considerations for different types of monitoring and includes a section on using biometric data for time and attendance control and monitoring. Interestingly, this comes while the ICO's draft guidance on biometric data and data protection (part one of two on biometric data guidance) is still out for consultation. It's unlikely it will change significantly before it is published in final form, and, as most of the practical examples relate to using biometric data in an employment situation, employers considering monitoring workers should refer to this draft guidance as well as to the final worker monitoring guidance.

News as at 28 September 2023

UK-US Data Bridge to take effect on 12 October 2023

The UK government has laid the Data Protection (Adequacy) (United States of America) Regulations 2023 before Parliament. They will come into force on 12 October 2023.  These Regulations are effectively an adequacy decision in favour of the US. They establish the UK-US Data Bridge (the government's preferred term for adequacy) which allows transfers of personal data to be made to US organisations signed up to the EU-US Data Privacy Framework (DPF) and participating in the UK Extension to it, without the need for additional transfer mechanisms like the Standard Contractual Clauses or Binding Corporate Rules. The US has already designated the UK as a qualifying state. This means UK individuals have the right to access the redress mechanism set out under Executive Order 14086 (EO).

The government has published supporting documents including:

• a Paper in support of the UK's designation as a qualifying state by the US
• an explainer of the Data Bridge
• a factsheet.

Not all US organisations are entitled to sign up to the DPF and UK Extension. The scheme is regulated by the FTC and Department of Transport.  Organisations regulated by other departments and outside FTC jurisdiction, for example those in banking, insurance and telecoms, are ineligible.  In addition, journalistic data cannot be transferred under the UK-US Data Bridge.

Special category data can be shared but owing to a difference in definitions, it must be correctly identified by UK organisations as such when it is being shared in order to attract the relevant level of protection in the US.

US recipient organisations are required to indicate they are seeking to receive criminal offence data as part of a human resources data relationship where relevant. Where such data is being shared outside an HR relationship, it must be made clear the data is sensitive and requires additional protections.

According to the government factsheet, before sending personal data to the US, the exporting UK organisation must:

• confirm whether an organisation is an active DPF participant by checking the DPF List
• confirm the said organisation has signed up to the UK Extension to the EU-US DPF
• if wishing to transfer HR data, confirm HR data is covered by the organisation's DPF commitments by:
• clicking on the organisation's name within the DPF List
• within the organisation's DPF program record, click on the link to the relevant privacy policy or policies (for HR data and/or non-HR data) under the 'Privacy Policy' section of the record
• review the privacy policy that applies to the covered information. 

The ICO published an Opinion providing "qualified" support for the Regulations and concluding that "while it reasonable for the Secretary of State to conclude that the UK Extension provides an adequate level of data protection and to lay regulations to that effect, there are four specific areas that could pose some risks to UK data subjects if the protections are not properly applied." These are:

• the need to identify biometric, genetic, sexual orientation and criminal offence data as "sensitive data" when sending it to the US in order to benefit from adequate protections, due to the different definitions in the UK GDPR and the Extension which does not specify all the Article 9 categories.  This is a risk as there is no requirement to do this under UK law so there is a concern UK organisations may not realise they need to do it
• the lack of equivalent protections relating to criminal offence data under US law as those set out in the UK's Rehabilitation of Offenders Act 1974
• the UK Extension does not contain a substantially similar right to the UK GDPR in terms of protecting individuals from being subject to decisions based solely on automated processing which have a legal or similarly significant effect and, in particular, there is no right to obtain a human review of such an automated decision
• the UK Extension contains neither a substantially similar right to the UK GDPR's right to be forgotten nor an unconditional right to withdraw consent.  The Extension therefore does not give individuals control over their data at a level equivalent to that under the UK GDPR.

The ICO underlines the need for the Secretary of State to monitor the level of data protection and review it every four years, as well as to monitor relevant developments in the destination country.  In addition to the four areas of concern, the ICO also recommends the Secretary of State monitor:

• that the requirements under the DPF including the Principles rights and exemptions, work as intended
• the implementation and compliance with the requirements of the EO by the US intelligence community
• the effectiveness of US oversight and enforcement bodies in ensuring compliance with the DPF Principles, the EO and resolving complaints from individuals, and
• any significant changes in the US legal landscape.

Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 made

These Regulations made on 21 September 2023 (PSTI Regs), set out the security requirements for manufacturers (but not importers or distributors) of connectable products under the Part 1 of the Product Security and Telecommunications Infrastructure Act (PSTIA). 

Part 1 of the PSTIA deals with security of relevant consumer connectable products, potentially placing obligations on manufacturers, importers and distributors, and is set to come into force on 29 April 2024.  Much of the detail on what security measures will be required from manufacturers is set out in the PSTI Regs, which will come into force on the same date.  The PSTI Regs are based on the UK's Code of Practice for Consumer IoT security and ETSI EN 303 645, and advice from the National Cyber Security Centre.

The PSTI Regs cover:

• requirements for default passwords
• information that must be provided to the public on reporting security issues
• what information must be provided to the public on the minimum period for which in-scope products will benefit from security updates
• exempt products
• what information must be included in the statement of compliance under s9 PSTIA
• conditions under which a manufacturer will be deemed to comply with security requirements under s3 PSTIA
• that a copy of the compliance statement must be retained for ten years from the date of issue or the minimum period set out in the statement (whichever is longer).

Read more about the PSTI Regulations here.

EDPB and EDPS joint Opinion on cross-border enforcement

The EDPB and EDPS have adopted a joint Opinion on the European Commission's Proposal for a Regulation on additional procedural rules for the enforcement of the GDPR.  They broadly welcome the proposal but make a few recommendations for areas where further clarification is needed.  They also stress that the Proposal should not unduly restrict the intervention by the Concerned Supervisory Authorities on draft decisions and urge the Commission not to change the current approach to the parties' right to be heard in any dispute resolution procedure where the SAs have not reached consensus.

The EDPB and EDPS have also adopted a joint contribution in response to the EC's public consultation on the template report for the description of consumer profiling techniques pursuant to Article 15 of the Digital Markets Act.  They recommend that gatekeepers provide additional information concerning the categories of personal data they process and details about their data protection practices.

House of Commons Committee inquiry into cyber resilience of UK's critical infrastructure

The House of Commons Science and Technology Committee has launched an inquiry and call for evidence on the cyber resilience of the UK's critical national infrastructure as measured against resilience targets by 2025.  It will look at what the sector needs to achieve those targets and at how to make computer hardware architecture which underpins the critical infrastructure more secure by design.  Submissions are invited on a range of issues, including the strength of government programs and support, by 10 November 2023.

News as at 21 September 2023

US designates UK as a qualifying state in prelude to conclusion of the UK-US Data Bridge

On 18 September, the US Attorney General designated the UK as a "qualifying state" for the purpose of implementing the redress mechanism established in Executive Order 14086.  The designation will become effective when the UK regulations implementing the Data Bridge for the UK Extension to the EU-US Data Privacy Framework (DPF) come into force.  Once in force, organisations in the UK will be able to export personal data to US organisations which self-certify compliance pursuant to the UK Extension to the DPF, without the need for additional transfer tools.

Irish DPC fines TikTok €345m

The Irish Data Protection Commissioner has fined TikTok Technology Limited €345m under direction from the EDPB.  The Irish DPC initiated an inquiry into the extent to which TikTok complied with its GDPR obligations in relation to its processing of children's personal data between 31 July 2020 and 31 December 2020 (the relevant period), looking at:

• certain TikTok platform settings including public-by-default and 'Family Pairing' feature settings
• age verification as part of the registration process.

The DPC also examined transparency compliance in relation to the information provided to children about default settings.

Following an Article 65 resolution process and in accordance with the EDPB's decision, the Irish DPC has now adopted its final decision that during the relevant period, TikTok's public by default settings and the way it communicated information led variously to breaches of GDPR provisions relating to fairness, transparency and privacy by design and default. The Irish DPC was also required to take into account the EDPB's findings that TikTok had implemented dark patterns in breach of the Article 5 fairness requirement

The DPC has issued:

• a reprimand
• an order for TikTok to bring its processing into compliance within three months
• a fine of €345m.

In a statement quoted in the media, TikTok said "We respectfully disagree with the decision, particularly the level of the fine imposed.  The DPC's criticisms are focused on features and settings that were in place three years ago, and that we made changes to well before the investigation even began, such as setting all under-16 accounts to private by default".

ICO guidance on sharing data to protect children

The ICO has urged organisations to share information to protect children and young people at risk of serious harm.  The ICO has published new guidance setting out ten steps to sharing information to safeguard children as part of the wider safeguarding process.  The aim of the guidance is to reassure people involved in safeguarding children, that data protection law does not prevent information sharing but ensures it is shared in a fair and proportionate way.  In particular, the ICO says there should be no hesitation in sharing information in an emergency.  In such cases, there may not be time to follow all the usual processes. The ICO suggests planning ahead for emergency or urgent situations so that everyone is clear what should happen when time is of the essence.

ICO and CEO of NCSC sign MoU

The UK's Information Commissioner and the CEO of the National Cyber Security Centre have signed a joint Memorandum of Understanding setting out how the ICO and NCSC will co-operate.  Their plans include focusing on:

• information sharing
• developing standards and guidance
• deconfliction in relation to incident management
• policy announcement and implementation.

Delaware latest US State to enact privacy law

The Delaware Personal Privacy Act has been signed and will come into effect on 1 January 2025.  Delaware is the latest US State to enact a privacy law.  The law will apply to entities conducting business in Delaware that control or process the personal data of over 35,000 consumers or 10,000 where the sale of their personal data accounts for more than 20% of the entity's gross revenue.  Delaware is so far the only US State to impose restrictions on selling the personal data of children aged between 16-18.

ECtHR rules UK surveillance activities unlawful

In line with a wider 2021 ruling, the European Court of Human Rights has ruled that UK surveillance activities infringed the privacy of two non-residents.  The complainants had tried to bring their case before the UK's Investigatory Powers Tribunal but were unsuccessful and then sought redress before the ECtHR.

News as at 14 September 2023

Meta reportedly considering paid-for ad free services in EU

In the wake of the ECJ ruling which said contractual necessity is unlikely to be a valid lawful basis on which to base processing personal data to target advertising, Meta switched to rely on legitimate interests for these purposes. This has already come under scrutiny in the ECJ Budeskartellamt judgment and, notably, in Norway which has imposed a ban on Meta using personal data processed in Meta's legitimate interests for behavioural advertising. Meta is thought to be considering offering EU users an opt-in to receiving targeted ads but has now been reported as also looking at offering a free service with ads and allowing users to pay for an ad-free service on Facebook and Instagram.

ICO to investigate period tracker apps

The ICO has announced it will review period and fertility tracking apps after a poll commissioned by the regulator showed that half of users have concerns over data sharing and transparency when choosing an app. Data security was another issue.  The ICO is asking users to share their experiences through a survey in a call for evidence.  It will also be commissioning focus groups and user testing.

Initial gatekeepers and core platform services designated under the DMA

On 6 September 2023, the European Commission published its first set of gatekeeper designations and core platform services under the Digital Markets Act as follows (gatekeeper in bold):

• Alphabet – Google, Chrome, YouTube, Google Android, Maps, Play, Shopping and Search
• Amazon – Amazon and Amazon Marketplace
• Apple – App Store, Safari, iOS
• ByteDance - TikTok
• Meta – Facebook, Instagram, Meta Marketplace, Meta, WhatsApp and Messenger
• Microsoft – LinkedIn and Windows PC OS.

The gatekeepers must comply with DMA requirements in full by 6 March 2024 although some obligations (eg to inform the Commission of any intended concentration) apply from designation.

The Commission has also opened market investigations into submissions by Microsoft and Apple that some of their core platform services do not qualify as gateways despite meeting the threshold for core platform services. The relevant services are:

• Microsoft – Bing, Edge and Microsoft Advertising
• Apple – iMessage.

It is also looking at whether Apple's iPadOS should be designated as a gatekeeper despite not meeting the thresholds.

The Commission concluded that while Samsung Internet Browser meets thresholds to qualify as a gatekeeper, it does not qualify as a gateway to reach end users. It reached similar conclusions about Alphabet's Gmail, and Microsoft Outlook.

Google's Privacy Sandbox reaching "general availability" on Chrome

Google has announced that its Privacy Sandbox for the web is reaching "general availability" on the Chrome browser,  The Privacy Sandbox is intended to enhance privacy and give users more control over what ads they see.  Its relevance and measurement APIs pave the way for phasing out third party cookies by the end of 2024.  Chrome has also released new controls which allow users to select options relating to Privacy Sandbox features.

French MP seeks to challenge EU-US Data Privacy Framework

French MP Philippe Latombe has said he is seeking to challenge the EU-US Data Privacy Framework before the EU General Court of Justice. There are doubts as to whether the challenge will be admissible owing to issues with legal standing. 

Which? calls for ICO to do more on smart devices

UK consumer group Which? has published an article looking at the collection of personal data by a range of smart devices. It raises concerns that more data is being collected than is necessary and that there is a lack of transparency as to what collected data is used for. It calls on the ICO to "crack down on data collection by manufacturers and marketing firms that appears to go beyond "legitimate interests". A proper standard of practice should also be put in place to make the rules clearer". A number of leading smart device providers defended their data processing practices in the article.

Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations

The Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations have been sent for sifting (the first stage in adoption). The Regulations will amend the definition of "fundamental rights and freedoms" in data protection legislation to refer to rights recognised under UK law, rather than retained EU law which will no longer be recognised after the end of 2023.  The definition in the UK GDPR and Data Protection Act 2018, will refer to the UK's Human Rights Act rather than the European Convention on Human Rights. As the government sets out in the explanatory notes, the HRA does not explicitly protect personal data unlike the ECHR.  However, the government says the protection of personal data falls within the ECHR Article 8 right to respect for private and family life which is enshrined in the HRA. Together with the protections afforded under data protection law, the government says there will be no change to the level of protection for UK citizens.

News as at 7 September 2023

The ICO and CMA issue joint report on Online Choice Architecture

On 9 August 2023, the ICO and CMA published a joint blog and position paper, which calls for organisations to stop using harmful Online Choice Architecture (OCA) to steer consumers into providing more personal data than they otherwise would like.   Read our article on 'Why Online Choice Architecture is a data protection priority' for more on this.

Multi-national joint statement on data scraping and data protection

The UK's ICO together with regulators from Norway, Jersey, Switzerland, Canada, Hong Kong, Australia, New Zealand, Columbia, Morocco, Argentina and Mexico, has published a joint statement highlighting the data privacy issues caused by unlawful data scraping on social media sites.  The regulators remind social media and website operators that mass data scraping can constitute reportable data breaches in many jurisdictions and that they have obligations to protect publicly accessible personal data where that data is protected by law.  The regulators expect the operators to implement mutli-layered technical and organisational measures to mitigate scraping and data privacy risks, including, by rate limiting access where unusual activity is detected, introducing measures to detect bots, and blocking IP addresses where scraping has been identified.  The regulators also call on individuals to take steps to protect their data and call on social media companies to enable users to engage with their services in a privacy protective manner.

Social media companies and other website operators hosting publicly accessible personal data are invited to submit feedback within a month and demonstrate how they protect individuals from unlawful scraping of their personal data.

EC introduces common logos under Data Governance Act

The European Commission has adopted an Implementing Regulation to introduce common logos to help easily identify trusted data intermediation service providers and data altruism organisations in the EU as provided for under the Data Governance Act.  Logos will be registered as trade marks.  They will need to be clearly displayed by data altruism organisations in all on- and offline publications, together with a QR code linking to the EU public register of recognised data altruism organisations.  The register is due to launch on 24 September 2023.

ICO guidance for employers on processing health information of people who work for them

The ICO has published guidance setting out data protection obligations on employers processing health data of the people who work for them.  The guidance has been updated following a consultation on the draft.  It explains the additional requirements when processing special category data and goes into detail on information provision, carrying out a DPIA prior to processing, data minimisation and security.  The second part of the guidance looks at particular workplace scenarios and the guidance also includes a number of checklists.

ICO guidance on sending bulk emails

The ICO has published guidance on how to send emails to multiple recipients in a secure manner.  In a blog post, the ICO says that incorrect use of the 'bcc' field to send bulk emails is one of the top data breaches reported to the regulator.  The ICO underlines that use of the bcc field is not, on its own, enough to protect personal information, and suggests that organisations sending sensitive information electronically should use alternatives such as bulk email services, mail merge or secure data transfer services.  The ICO also points to recent enforcement actions against three organisations which used bcc in breach of data protection law.  Key to proper use is assessing and implementing appropriate technical and organisational measures and training staff. 

AirBnB Ireland reprimanded by Irish DPC

AirBnB Ireland has received a reprimand from the Irish Data Protection Commissioner relating to the processing and retention of copies of documents used to verify identity.  The DPC says the practice of retaining a copy of the relevant document after identity has been verified breaches the GDPR minimisation and storage limitation principles.

EDPS opinions on draft Financial Data Access Framework and EU Payment Services Regulation and Directive

The EDPS has published opinions on the draft Financial Data Access Framework and Regulation and Directive on payment services within the EU.

The EDPS is supportive of the Framework but recommends tightening the definition of "customer data" and limiting the types of personal data that can be processed as well as explicitly excluding data obtained through profiling.  Regarding the proposed Regulation and Directive on payment services, the EDPS makes recommendations to assist with fraud prevention, including defining what data is necessary for fraud prevention, and limiting data collection to data falling within the definition, as well as specifying who may collect special category personal data and under what circumstances. 

NOYB files complaints against Fitbit

NOYB has filed complaints against Alphabet-owned fitness tracker Fitbit, with data protection regulators in Austria, the Netherlands and Italy.  NOYB alleges that Fitbit effectively requires users to consent to their personal data being exported outside the EU and does not allow them to withdraw that consent.  It also claims that Fitbit fails to provide an adequate explanation of what it does with exported special category data.

NIST publishes draft post-quantum cryptography standards and cyber security and privacy learning program

The US National Institute of Standards and Technology (NIST) has published draft post-quantum cryptography standards.  These are intended to help organisations defend themselves from quantum-enabled cyber attacks.  Three Federal Information Processing Standards are included containing a number of lattice and hash-based algorithms.  NIST has also issued a draft learning program covering cyber security and privacy.  The documents are open for consultation.

DCMS Committee recommendations on monitoring employees

The DCMS Committee has published a report on 'Connected tech: smart or sinister?'.  Among its recommendations are that monitoring of employees should only be done in consultation with employees and with their consent.  The report calls on the ICO to develop its draft guidance on monitoring at work into a principles-based code for designers and operators of workplace connected technology. 

India finalises Digital Personal Data Protection Act

India's long-awaited Digital Personal Data Protection Act has been published in the Gazette of India.  The Act does not specify a transitional period and different provisions are likely to be brought into force on different dates.  Essentially, it provides conditions for processing digital data, places obligations on data fiduciaries (controllers) and gives rights to data principals (data subjects).  Fines for non-compliance are up to approximately US$30m.

Plans evolve for Common European Tourism Data Space

The European Commission has adopted a Communication setting out plans for a Common European Tourism Data Space.  The EC intends that the data space will provide the European tourism ecosystem with the means for sharing data, in particular to foster trust, enhance interoperability support digitisation and sustainability of the industry. The introduction of the system will take place over the next two and a half years with full functionality expected by 2025.

EDPB statement on first annual review of EU-Japan adequacy agreement

The EDPB has published a statement following its participation in the EC's first annual review of the EU-Japan adequacy agreement.  The EDPB agreed with the EC's assessment that changes to Japan's data protection laws had not impacted the adequacy decision and that reviews could now proceed on a four yearly basis.  It did, however, identify a few issues to keep an eye on including the use of consent in potentially imbalanced relationships. 

Meta to offer EU opt-in to targeted advertising

Meta is planning to offer EU users a simple opt-in (yes or no) to receiving targeted advertising across its platforms.  This is in response to the €390m fine it received from the Irish Data Protection Commissioner for unlawfully relying on contractual necessity to serve behavioural ads.  Meta's changes will not apply in the UK.  The ICO has said it is assessing what this means for the information rights of people in the UK and is considering its response.

Government consults on banning cold calling for consumer financial products and services

HM Treasury is consulting on a cold calling ban for consumer financial services and products.  The ban was announced in May 2023 and the consultation and call for evidence look at how best to design and implement it.  The government highlights that the ban will work alongside other measures to tackle fraudulent marketing, including the DPDI Bill and the online advertising programme, as well as a proposed online fraud charter.  The consultation closes on 27 September 2023.

EDPB finalises Article 65 decision on TikTok

The EDPB has finalised an Article 65 decision relating to the Irish Data Protection Commissioner's decision on TikTok's use of children's personal data.  The Irish DPC submitted its draft decision to other concerned authorities in September 2022, but referred the decision to the EDPB after failing to get agreement.  The inquiry relates to TikTok's processing of children's personal data, in particular, historic public-by-default settings, age verification measures for under-13s, and compliance with transparency requirements.  The EDPB's decision will be published following publication of the Irish DPC's final decision.

ICO updated guidance on "likely to be accessed by children"

The ICO's Children's Code applies to online services "likely to be accessed by children".  The ICO published guidance in the form of FAQs on what this means but has now updated this to add further clarification in response to a consultation which closed in May 2023.  Clarifications include additional information on why there is no defined threshold for what constitutes a "significant number" of children accessing a service, and also gives a bit more information about when the ICO might consider regulatory action. 

Norway's DPA imposes daily fines on Meta

In July, the Norwegian DPA imposed a temporary ban on Meta (to apply on its Facebook and Instagram platforms) from carrying out behavioural advertising based on the surveillance and profiling of users in Norway.  The ban will initially apply until October.  The DPA has now begun fining Meta nearly €100,000 a day for failing to comply with the ban. Meta's initial application for an injunction to suspend the ban has now been rejected and the Norwegian DPA is considering a referral to the EDPB. 

ICO consultation on draft biometric guidance

The ICO is consulting on the first phase of guidance on biometric data and biometric technologies.  Phase one covers draft biometric data guidance.  The consultation is open until 20 October 2023.

News as at 27 July 2023

EDPB information note on DPF as website goes live

The EDPB has published an information note on data transfers from the EU to the USA after the adoption of the EC's adequacy decision relating to the Data Privacy Framework (DPF).  The note is broadly supportive although is a reminder of the fact that the adequacy decision is subject to annual review.  The EDPB states that:

• From 10 July 2023, transfers from the EU to US organisations included in the DPF List may be based on the adequacy decision without the need to rely on Article 46 GDPR transfer tools and without the need for supplementary measures.
• If the US organisation is not on the DPF list, data must be appropriately protected with enforceable rights and effective remedies available to data subjects in accordance with Article 46 – eg by using Standard Contractual Clauses or Binding Corporate Rules.  The EDPB stresses that "all the safeguards that have been put into place by the US Government in the area of national security (including the redress mechanism) apply to all data transferred to the US, regardless of the transfer tool used.  Therefore, when assessing the effectiveness of the Article 46 GDPR tool chosen, data exporters should take into account the assessment conducted by the Commission in the Adequacy Decision" .
• Individuals whose data is transferred to the US based on the adequacy decision have several redress mechanisms available but are encouraged to first raise any complaint with the relevant US organisation.  EU organisations may, if necessary, seek the advice of their competent DPA.
• Regardless of the transfer tool used, EU individuals can submit a complaint to their national DPA to make use of the new redress mechanism in the area of national security.  The DPA will turn the complaint over to the EDPB, which will then transmit it to the competent US authorities.  The DPA will keep the individual informed about the progress with and outcome of the complaint.  For the complaint to be admissible, the individual does not have to demonstrate their data was collected by US intelligence agencies.

It is interesting that the EDPB stops short of saying that supplementary measures are not needed to protect personal data being transferred under Article 46 transfer tools, although the implication of its statement is that they are unlikely to be necessary.

On 17 July, the US International Trade Administration launched its DPF website which allows organisations to self-certify under the DPF, and provides a range of advice and information.  US organisations can also now sign up to the UK extension although data cannot be transferred under it until the UK has legislated to adopt a UK-US data bridge, and the US has formally recognised the UK as a qualifying state.

WhatsApp changes lawful basis for processing EU personal data

In January 2022, the Irish DPC fined WhatsApp €5.5m.  Among other things, the Irish DPC found that WhatsApp was not entitled to rely on the lawful basis of contractual necessity for the delivery of service and security (excluding IT security).  As a result, WhatsApp has changed to legitimate interests as its lawful basis for these purposes.

EC to evaluate Regulation on ENISA and ICT

The EC has published a call for evidence for an valuation of the ENISA and ICT Regulation.  The call is open until 16 September 2023 and a report will be adopted in Q2 2024.

News as at 20 July 2023

Draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023

The draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products Regulations 2023 (Regulations) have been laid before Parliament under Part 1 of the Product Security and Telecommunications Infrastructure Act 2022 (PSTIA).  Part 1 of the PSTIA deals with security of consumer connectable products and is set to come into force on 29 April 2024, but much of the detail on what security measures will be required is to be set out in secondary legislation. The draft Regulations set out security obligations on manufacturers of relevant connectable products (but do not cover requirements for importers or distributors). They are based on the UK's Code of Practice for Consumer IoT security, ETSI EN 303 645, and advice from the National Cyber Security Centre. They are being adopted under the Affirmative Procedure so must be approved by both Houses of Parliament.

The Regulations cover:

• requirements for default passwords
• information that must be provided to the public on reporting security issues
• what information must be provided to the public on the minimum period for which in-scope products will benefit from security updates
• exempt products
• what information must be included in the statement of compliance under s9 PSTIA
• conditions under which a manufacturer will be deemed to comply with security requirements under s3 PSTIA and how long the statement must be retained.

Read more.

Norwegian DPA imposes temporary ban on behavioural advertising by Meta

The Norwegian DPA has imposed a temporary ban on Meta (to apply on its Facebook and Instagram platforms) from carrying out behavioural advertising based on the surveillance and profiling of users in Norway.  The ban will initially apply until October.  The Norwegian DPA cites the December 2022 Irish DPC decision after which Meta made changes and said that the recent ECJ decision on the role of data protection in competition decisions stated that Meta's behavioural advertising still fails to comply with the law.  While it is not Meta's lead regulator, the DPA is exercising its right to intervene directly and may refer the matter to the EDPB after the summer.

The DPA says it is not banning all behavioural advertising by Meta and says its decision does not prevent Meta from targeting advertising based on user bio information or interests that a user has provided themselves, nor where the user has given valid consent.

ICO publishes compliance lessons from reprimands

The ICO has published key learnings for organisations to improve their data protection practices based on reprimands issued by the ICO in Q1 2023/4:

• Avoid inappropriate disclosure of personal information by having policies in place and training staff
• Respond to information access requests on time
• Implement a data protection by design and default approach.

ICO support for data sharing between gambling operators following completion of regulatory Sandbox

The UK's ICO has published a report following the exit of the Betting and Gaming Council from the ICO's regulatory Sandbox.  The Council entered the Sandbox to explore the gambling industry's development and trial of a Single Customer View (SCV) solution, developed with operators and intended to enable a more unified and proactive intervention by gambling operators to reduce incidents of gambling related harm. The data sharing project (known as GamProtect) will now be implemented across the gambling industry with support from the Betting and Gaming Council. 

The ICO has also written to UK Finance sharing its findings and responding to a request for clarification on whether in relation to the sharing of consumer credit risk data by credit reference agencies with gambling operators:

• The processing would be deemed compatible with the original processing purposes.
• The nature of lenders' transparency obligations and whether they have an obligation to notify their consumers of the new sharing by the credit reference agencies ahead of sharing the data.

The ICO has advised gambling operators that:

• the GDPR does allow credit reference agencies to share personal information with gambling operators to enable financial risk checks provided the shared information is limited to what is necessary
• credit reference agencies must conduct a Data Protection Impact Assessment prior to sharing the information
• gambling operators must safeguard any additional information they receive from the credit reference agencies and use it only for the purposes of carrying out the financial risk checks
• banks, lenders and other parties are expected to update their privacy notices and other accountability information to reflect the increased scope of data sharing by the credit reference agencies.

The ICO says lenders (and other parties sharing information with credit agencies) and the credit agencies themselves, will need to carry out a compatibility assessment to decide whether the new purpose for sharing the data is compatible with the original purpose for processing the data.  The ICO notes the close link between the original purpose of enabling the assessment of consumer credit, and enabling online gambling operators to conduct financial risk checks.  It also notes that data subjects have an expectation that their data will be shared by lenders and credit reference agencies for the purpose of credit checks.  The Gambling Commission has already directed relevant stakeholders to make it clear to customers that their data may be shared in relation to financial vulnerability. 

Given the sensitivity of the data being shared, the ICO expects that sharing of data will be kept to what is necessary and that the underlying purpose of safeguarding individuals at risk provides a compelling reason for sharing of the data.  The ICO expects gambling operators to put robust safeguards in place and reminds them that any use of the data for commercial gain would be strictly outside the purpose for which the data is being shared.

The ICO points to clarifications being introduced under the Data Protection and Digital Information Bill which will make clear that a further processing purpose will be compatible with the original purpose where it is necessary for safeguarding vulnerable individuals.

News as at 13 July 2023

EC announces adoption of EU-US Data Privacy Framework adequacy decision

The European Commission has announced the adoption of its adequacy decision for the EU-US Data Privacy Framework (DPF).  It entered into force on 11 July.  The Commission concludes that the US provides an adequate level of protection for personal data transferred from the EU to US companies under the new framework.  Personal data can flow freely from the EU to US companies participating in the framework without the need for supplementary measures. 

The Commission underlines that the DPF introduces new binding safeguards to address the concerns raised by the ECJ, including by limiting access to EU data by US intelligence authorities to what is necessary and proportionate to protect national security.  The new framework also establishes a Data Protection Review Court to which EU individuals have access and which can order remedies relating to unlawfully transferred personal data, including data deletion. 

In its accompanying FAQs, the Commission notes that all safeguards put in place by the US government in the area of national security (including the redress mechanism), apply to all GDPR data transfers to companies in the US, regardless of the transfer mechanism used.  The safeguards "therefore also facilitate the use of other tools, such as standard contractual clauses and binding corporate rules".  This suggests an end to the requirement for supplementary measures for all US data transfers, even where a Transfer Impact Assessment is required.

On 11 July 2023, the US International Trade Administration confirmed that from 17 July 2023, US organisations may self-certify compliance pursuant to the UK Extension to the EU-US DPF.  They may not, however, begin relying on it to receive personal data from the UK and Gibraltar, before the UK's anticipated adequacy regulations (not yet published at time of writing) implementing the Data Bridge enter into force.  Organisations participating in the UK Extension must also participate in the EU-US DPF.  The Swiss-US DPF will also be available from 17 July 2023.

Read more about what this means, including from a UK perspective here, and find out more detail about the DPF and what compliance involves here.

ICO publishes journalism code of practice

The ICO has published its code of practice about using personal information for journalism.  This will be a statutory code which will come into force once it has completed the s125 DPA process and has been laid before Parliament by the Secretary of State.  It can, however, provide guidance immediately.  Following a consultation process, the code has taken on board stakeholder feedback.  It is intended to provide practical guidance on how to comply with data protection law and good practice when personal information is used for journalism.  Reference notes support the code and contain more information about relevant legislation and case law examples.  The code is strictly limited to data protection law and does not cover media standards in general.

EC publishes Regulation to set out additional procedural rules on GDPR enforcement

The European Commission has adopted a proposal for a Regulation on additional procedural rules relating to the enforcement of the GDPR (GDPR Procedural Regulation).  The Regulation is intended to set up procedural rules for cross-border enforcement actions.  The Commission feels that further harmonisation is needed to support the consistency and cooperation procedure under the GDPR, owing to the fact that different Member States have different interpretations of the GDPR which can result in a lack of consensus and a lengthy dispute resolution process under the Article 65 procedure.

The new draft Regulation sets out additional rules dealing with:

• Rights of complainants – the proposal harmonises the requirements for a cross-border complaint to be admissible, establishing common rights for complainants to be heard in cases where their complaints are fully or partially rejected.  There are also rules on the level of involvement of the complainants.
• Rights of parties under investigation (controllers and processors) – parties under investigation have the right to be heard at key stages including during any EDPB dispute resolution.
• Streamlining cooperation and dispute resolution – DPAs will be able to provide their views early on in investigations and make use of all the tools of cooperation provided by the GDPR including joint investigations and mutual assistance.  The aim is to enhance DPA influence over cross-border cases and facilitate early consensus building.   

These measures are intended to speed up completion of investigations and support consumers and businesses.  The Commission says consumers and businesses will benefit from complaints being resolved more quickly and businesses will gain greater legal certainty.

Council of Europe publishes model clauses for data transfers under Convention 108+

The Council of Europe has published the first model of the model contractual clauses for the transfer of personal data from controller to controller developed under the Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108+).  Convention 108+ requires signatories to take steps in their domestic legislation to apply its principles in order to protect fundamental human rights with regard to processing of personal data.  The model clauses can be adopted by signatories under domestic legislation and used to protect the rights of individuals where personal data is transferred from controller to non-signatory controller.

ENISA health sector threat landscape report

ENISA has published a threat landscapes report focused on the health sector.  It analyses cyber incidents between January 2021 and March 2023 and identifies a list of prime cyber security threats to the EU's healthcare sector.  Ransomware attacks continue to present the biggest risk, particularly to patient data.  ENISA says only 27% of healthcare organisations were found to have a dedicated ransomware response programme.  The report makes a number of recommendations including making offline encrypted backups of mission critical data containing confidential information, training and awareness raising for healthcare professionals, and regular vulnerability screening backed up by patches and software updates.

US government joins Meta Irish DPC ruling appeal

Meta's appeal against the Irish DPC ruling which requires it to suspend its EU-US data transfers under standard contractual clauses and repatriate unlawfully transferred data, has been joined by the US government.  The US government will be able to provide information to the court and details of the US rules on government access to data.  The repatriation requirement now makes little sense given the adoption of the EU-US Data Privacy Framework adequacy decision, the safeguards under which can also be used to facilitate transfers under SCCs and BCRs. 

News as at 6 July 2023

US finalises EU-US Data Privacy Framework requirements paving the way for adequacy decision

The U.S. Department of Justice has announced the USA has fulfilled its commitments for implementing the EU-US Data Privacy Framework. The Attorney General has designated the EU Member States as well as Iceland, Liechtenstein and Norway as "qualifying states" whose citizens are able to file for redress through the proposed Data Protection Review Court and benefit from enhanced U.S. privacy protections. The designations will apply once the EU has adopted the EU-US adequacy decision. The ODNI has released the policies and procedures the U.S. intelligence community will follow as part of President Biden's executive order.  The European Commission is expected to adopt an adequacy decision in the next few weeks.

Draft EU Financial Data Space Regulation published

The EC has published a proposal for a Regulation for a framework for financial data access intended to set out processes for management of customer data sharing in the financial sector. Once passed it will amend the EBA Regulation, the EIOPA Regulation, ESMA and DORA.  This is the second of the common European data spaces to reach this stage (the first being the health data space), and is part of the EU's wider strategy to facilitate sharing of business data.  The intention is that the financial data space will:

• enable customers to securely share their data with data users (eg financial institutions) to give them access to a wider range of financial products and services, particularly data driven ones and at cheaper prices
• require customer data holders to make this data available to data users subject to customer permission
• give customers control over who accesses their data for what purpose
• standardise customer data and technical interfaces for data sharing
• implement clear liability for data breaches and dispute resolution relating to financial data sharing
• incentivise data holders to establish high quality interfaces for data users through reasonable compensation from data users in line with the principles under the Data Act. 

ECJ ruling on interplay of competition and consumer protection law

The ECJ has published its decision in a reference from Germany involving Meta Platforms and the impact of its data practices on competition.  In the original case in Germany, the German competition authority, the Bundeskartellamt, found that the data collected by Meta Platforms Ireland about user activities on and off Facebook and across other Meta services and linked back to their Facebook account for targeted advertising purposes, was collected without valid consent and therefore in breach of the GDPR.  It found this constituted an abuse of Meta's dominant position in online social networks.

The Higher Regional Court in Duesseldorf asked the ECJ whether it was open to a national competition authority to review whether a data processing operation is GDPR-compliant.

In line with the AG Opinion, the ECJ found that:

• In investigating potential abuses of competition law, it is open to national competition authorities to examine whether an undertaking complies with other rules, such as the GDPR, but only in order to establish an abuse of a dominant position and impose measures to remedy that abuse.
• National competition authorities are required to cooperate with other regulators eg data protection regulators.  In the context of the GDPR, they must also look at and take into account any relevant decisions made by that regulator or the courts and cannot depart from them.

The ECJ also made a number of observations in relation to Meta's data processing operations including:

• the mere fact a user visits websites or apps which may reveal sensitive data, does not mean that the user manifestly makes public that data for GDPR purposes.  The same is true where the user enters information on, or clicks or taps on buttons integrated into a website or app, unless the user has explicitly beforehand made the choice to make that data publicly accessible to an unlimited number of persons
• the justification of contractual necessity may only be used for data processing operations which are objectively indispensable, such that the main subject matter of the contract cannot be achieved if the processing in question does not occur.  The ECJ doubts that delivery of personalised content by Meta would achieve this although it will be up to the national courts to decide. Moreover, the ECJ says personalised advertising by which Facebook finances its activities, cannot be justified as a legitimate interest in the absence of user consent
• the fact that the operator of an online social network holds a dominant position on the social network market does not, in itself, prevent its users from giving valid GDPR consent but given it creates an imbalance in power, it is an important factor in determining whether or not valid consent is given and it is for the operator to prove that it has been.

Read more.

Meta stay of action on Irish DPC decision

The Commercial Court of Ireland has extended Meta's interim stay on the order from the Irish DPC to suspend its EU-US data transfers.  The stay will now continue until at least the end of July. 

Irish Parliament votes on confidentiality of Irish DPC proceedings

The Irish Parliament has voted to allow the Irish Data Protection Commissioner to declare the majority of its procedures confidential during its investigations.  The Irish DPC will have discretion to make certain information confidential but must specify the reasons for doing so.  Privacy campaigners have complained that this will reduce scrutiny of the Irish DPC who is the lead EU regulator for a number of the 'big tech' companies.

UK NCSC updates risk management toolkit

The UK's National Cyber Security Centre has updated its risk management toolkit for practitioners with an eight-step risk management framework and a revised toolkit framework to cover a variety of sectors and organisation sizes.

News as at 29 June 2023

EU Data Act agreed

Political agreement has been reached between the European Council and Parliament on the European Data Act. The Data Act was originally proposed in February 2022.  It aims to facilitate data sharing, in particular, industrial and business data as well as personal data, in order to help individuals and businesses leverage the value of the data they help generate, and level the data playing field.

The Data Act will:

• enable users of connected devices to access and share the data generated by those devices and by related services  
• provide protections from unilaterally imposed unfair contractual terms relating to data ownership
• give public sector bodies access to private sector data under limited circumstances, for example, during public emergencies
• facilitate switching between cloud data-processing service providers to promote customer choice and competition, as well as introducing safeguards against unlawful data transfers
• provide for the development of interoperability standards for data sharing and data processing.

The Data Act is part of the European Strategy for Data.  This also includes the Data Governance Act (which will apply from 24 September 2023 and which, among other things, sets out processes and structures to facilitate data sharing among EU public bodies and between sectors), and plans to create a series of common European data spaces.  

The Data Act will now be formally adopted and published in the Official Journal.  It will come into force twenty days after publication and will apply twenty months after that – so likely in early to mid 2025.

Read more about what this means for you.

CNIL fines Criteo €40 million

The French DPA, the CNIL, has fined behavioural advertising company Criteo €40m for GDPR breaches. This represents a €20m reduction from the originally announced provisional amount. The CNIL investigated Criteo following complaints from Privacy International and NOYB. It found a number of GDPR infringements including:

• Failure to evidence consent of individuals to the processing of their personal data – Criteo was not verifying that its partners in direct contact with users were collecting user consent before placing its cookie and had not, at the time of the investigations, included contractual clauses obliging its partners to do so. Criteo partner contracts now include a clause requiring partners to promptly provide Criteo on request at any time, with proof that consent has been obtained from the data subject.
• Transparency and information failings – Criteo's privacy policy was incomplete and did not include all the intended purposes of processing. In addition, the purposes were expressed in vague and broad terms. This has been rectified.
• Failure to respect the right of access – when Criteo responded to subject access requests, it did not provide complete data and did not provide individuals with sufficient information to enable them to understand what was supplied.
• Failure to comply with the right to withdraw consent and with the right to erasure – when an individual exercised their right to erasure or to withdraw consent, although the display of personalised advertising stopped, the company did not delete the identifier assigned to that person or erase navigational events related to that identifier.  
• Failure to provide a joint controller agreement – joint controller agreements put in place with partners did not contain all the required elements. 

In determining the amount of the fine, the CNIL took into account the fact that the processing in question concerned a large number of people across the EU and that the company had collected a large amount of personal data relating to the online preferences of individuals. While Criteo did not have names of individual users, the CNIL considered that Criteo held data which was sufficiently accurate to re-identify individuals in some cases. The CNIL also considered that Criteo's failure to evidence consent enabled it to increase the number of individuals accepting its cookies which allowed it to benefit financially.

EDPB template complaint form

The EDPB has adopted a template complaint form to facilitate the submission of complaints by individuals and their subsequent handling by DPAs in cross-border cases. The template takes into account differences between national laws and practices. DPAs will be able to use it on a voluntary basis and can adapt it to their national requirements. The expectation is that using the form will save DPAs time and help resolve cross-border cases more efficiently. The EDPB also adopted a template acknowledgment of receipt form.

Recommendations for Controller Binding Corporate Rules 

The EDPB has adopted a final version of the Recommendations on the application for approval and on the elements and principles to be found in Controller Binding Corporate Rules (BCR-C). The recommendations update the existing BCR-C referential which contains criteria for BCR-C approval, and merge it with the standard application form for BCR-C.

The recommendations are intended to:

• Provide an updated standard application form for the approval of BCR-Cs.
• Clarify the necessary content of BCR-Cs and provide further explanation.
• Make a distinction between what must be included in a BCR-C and what must be presented to the BCR lead data protection authority in the BCR application.

The recommendations provide additional guidance and aim to ensure a level playing field for all BCR-C applicants based on experience gained by DPAs. They also take account of the Schrems II judgment.  

On publication (to follow shortly), the guidelines are applicable to all BCR-C holders. In practice, existing as well as new and ongoing applicants will have to bring their BCR-C in line with the requirements set out in the recommendations, either during the application process or as part of their 2024 annual update.

ECJ Opinion on SARs

The ECJ has ruled on interpretation of Article 15(1) GDPR which deals with subject access requests, in response to a reference from Finland. The ECJ said:

• Article 15 GDPR applies to subject access requests relating to personal data processed before the GDPR became applicable but made under the GDPR.
• Article 15(1) must be interpreted as meaning that information relating to consultation operations carried out using an individual's personal data and concerning the dates and purposes of those operations, would be information to be included in response to that individual's SAR. Information relating to the identity of the employees carrying out the operations in accordance with the instructions of their employer would not be relevant unless the information is essential to enable the individual concerned to exercise their rights, and provided the rights of the employees are taken into account.
• Article 15(1) must be interpreted as meaning that the fact the controller is engaged in and acts within the framework of a regulated activity, and the fact that, (as in this case), the individual making the SAR was both an employee and a customer, do not have an impact on the scope of the right of access.

News as at 22 June 2023

ICO to scrutinise use of generative AI

The UK's ICO has called on businesses to address the privacy risks of generative AI before adopting the technology and says it will carry out tougher checks on whether organisations have complied with data protection law before and when using generative AI.  Businesses are cautioned to "spend time at the outset to understand how AI is using personal information, mitigate any risks….and then roll out your AI approach with confidence that it won't upset customers or regulators".  The ICO is signalling that this will be a priority area, saying "businesses need to show us how they've addressed the risks that occur in their context – even if the underlying technology is the same.  An AI-backed chat function helping customers at a cinema raises different question (sic) compared with one for a sexual health clinic, for instance".

CDEI report on making AI systems fairer

The Centre for Data Ethics and Innovation has published a report on Enabling responsible access to demographic data to make AI systems fairer.  It sets out approaches to accessing demographic data responsibly for bias detection and mitigation.  The report suggests using data intermediaries and proxy data may help manage risks although they will not always be suitable.  It underlines that in the short term, direct collection of demographic data is likely to be the best option in most circumstances, saying this can usually be done lawfully provided care is taken to comply with applicable data protection law.  However, the CDEI also sees an opportunity for an ecosystem involving intermediaries and proxies to emerge which offer better options.

ICO launches new PETs guidance

The ICO has published guidance on using privacy enhancing technologies (PETs).  The guidance is divided into two parts which variously cover:

• Guidance aimed at DPOs and those with specific data protection responsibilities in larger organisation – this focuses on how PETs can help achieve compliance with data protection law, and
• A more technical section for DPOs who want to understand more detail about currently available PETs – it sets out eight types of PET and explains their risks and benefits.

ENISA reports on AI and cybersecurity

ENISA, the EU cybersecurity agency, has published four reports on AI and cybersecurity:

• A multi-layer framework for good cybersecurity practices for AI
• AI and Cybersecurity research
• Cybersecurity and privacy in AI – forecasting demand on electricity grids
• Cybersecurity and privacy in AI – medical imaging diagnosis.

The framework consists of three layers – cybersecurity foundations, AI-specific cybersecurity, and sector-specific cybersecurity for AI.  It aims to provide a step-by-step process for establishing good cybersecurity practices to build trust in AI. 

Leaked proposals on EDS for financial data and establishment of a digital Euro

The European Commission is poised to introduce Regulations:

• To establish a common European data space for financial data, and
• To establish a digital euro to be used by payment service providers.

According to leaked documents, these proposals are likely to be published on 28 June 2023.

The financial data space will complement the Data Act which is reportedly nearing the end of the trilogue process.

Irish DPC asks Google for more information about its AI tool Bard

Politico reports that Google has postponed its EU release of its AI chatbot Bard, in response to requests from the Irish Data Protection Commissioner.  The Irish DPC has reportedly said Google has not supplied it with a DPIA, nor has it provided any detailed information about the use of personal data by the tool, and how it will comply with the GDPR.

News as at 15 June 2023

Centre for Data Ethics and Innovation publishes portfolio of AI assurance techniques

The CDEI has published a portfolio of AI assurance techniques in collaboration with techUK. It is intended to be used by anybody involved in designing, developing, deploying or procuring AI-enabled systems, and sets out examples of AI assurance techniques being used in the real world, to support the development of trustworthy AI. The techniques have been mapped on to the principles set out in the government's AI White Paper. They include:

• impact assessments
• impact evaluations
• bias audit
• compliance audit
• certification
• conformity assessment
• performance testing
• formal verification.

These are applied across a number of sectors and will be added to over time.

UK and US reiterate intention to create a UK-US data bridge

Following Rishi Sunak's trip to Washington DC, the UK and US put out a joint statement committing in principle to establishing a UK-US data bridge to allow frictionless transfers of personal data between the UK and the USA. While this is being touted as 'news', it doesn't add a great deal to earlier statements of intention although it does indicate that progress has been made over the last two years. The UK is continuing to assess the US privacy framework and technical work is ongoing to establish the UK as a qualifying state under President Biden's Executive Order 14086. Under the 'Atlantic Declaration' the US and UK also agreed to cooperate on the development of AI and of Privacy Enhancing Technologies (PETs).

EDPB adopts final guidelines on administrative fines and Article 65(1)(a) GDPR

The EDPB has adopted final guidelines on administrative fines. They aim to harmonise the methodology used by DPAs to calculate fines, including the starting points – the categorisation of infringement by nature, the seriousness of the infringement, and the turnover of the business. The guidelines then include a five-step methodology covering the number of instances of sanctionable content, the starting point for calculation of the fine, aggravating or mitigating factors, legal maximums of fines, and the requirements of effectiveness, dissuasiveness and proportionality.

Following consultation on the draft guidelines, an annex has been added with a reference table summarising the methodology and providing illustrative examples. The guidelines have also been updated to ensure consistency with the Meta findings. 

In addition, the EDPB adopted final guidelines on Article 65(1)(a) GDPR, which are intended to set out the main stages of the Article 65 procedure and clarify the competence of the EDPB when adopting a legally binding decision under Article 65(1)(a). The guidelines have been updated to ensure consistency with other guidelines and now also include a summary. 

Meta granted preliminary stay on order to suspend US data transfers

Meta has filed two actions at the Irish High Court in an attempt to overturn the Irish Data Protection Commissioner's decision fining it €1.2bn and ordering it to suspend data transfers to the US, and delete or repatriate unlawfully transferred data. It is seeking judicial review of the decision and has asked the court to suspend the deadlines for acting on the requirements under the decision. Meta has been granted a stay on the orders until the court's next sitting which is expected to take place on 19 June 2023.

ICO warns of dangers of neurotech

The ICO has warned that neurotechnolgies (which monitor the brain) pose major risks of bias if not developed and used correctly, particularly to neurodivergent people. The ICO will produce guidance for developers of neurotech. In a report, ICO tech futures: neurotechnology, the ICO predicts that neurotechnolgies will become more widespread over the next decade but risk causing harm if they are not developed and tested using a wide enough range of people. The report details possible future avenues of development for neurotechnology, including the workplace, employee hiring, sports, personal health and wellbeing, marketing, and video games.

Florida Bill of Digital Rights

Governor de Santis has signed Florida's Digital Bill or Rights into law. It includes privacy requirements for certain 'big tech' companies and introduces children's privacy protection requirements across a broader range of companies. Among other things, it gives consumers the right to know what information companies are collecting about them, and correction and limited deletion and disclosure rights. It applies only to companies with annual revenue of over $1bn. The law will take effect on 1 July 2024. 

European Parliament adopts its position on draft AI Act

The AI Act heads into the final stages of the legislative process following the European Parliament's adoption of its negotiating position on 14 June.  Attempts to introduce last-minute changes were voted down with the result that negotiations can now begin between the European Parliament and the European Council.  See here for more on changes proposed by the Parliament to the Commission's proposal.

News as at 7 June 2023

Hack of payroll provider Zellis compromises data of thousands of UK employees

Third party payroll provider Zellis, has reportedly suffered a hack of the MOVEit file transfer software it uses. The hack is thought to have been carried out by a criminal gang with links to Russia. MOVEit says it has now corrected the exploited vulnerability. The hack potentially exposes names, addresses, NI numbers and banking details of tens of thousands of employees. BA, Boots and the BBC have confirmed they are among those affected.

ICO guidance on SARs for employers

The ICO has published guidance on SARs for businesses and employers in the form of a set of Q&As for employers. The guidance covers common issues including how to respond to requests, procedural issued, the scope of requests, what information can be withheld, and how to deal with mixed data.

Health data being unlawfully shared by NHS trusts, reports the Observer

The Observer reported that 20 UK NHS trust websites are unlawfully sharing personal data with Meta through a Meta Pixel tool. The data in question includes browsing data and information about medical conditions, appointments and treatments. 17 of the 20 trusts have already confirmed they have taken the tool off their sites. The Observer alleges that data was transferred automatically before users had a chance to select cookies and without explicit consent. Much of the transferred data would be special category data. The transfer of personal data also allegedly breached some of the trusts' terms and conditions and privacy policies with only three mentioning Facebook at all.

ICO rejects claims that it failed to protect individuals' rights during pandemic

The Open Rights Group has published a report accusing the ICO of failing to protect public privacy and data rights during the COVID-19 pandemic.  The report says the ICO repeatedly failed to take action over clear breaches of data protection law by the government, and by choosing to act as a "critical friend", did not challenge the government on accountability and transparency, excessive data retention, late DPIAs, and the involvement of private companies without proper safeguards. The report expresses concerns that large amounts of personal data are being unnecessarily retained and potentially used by third parties.

The ICO has said it does not agree with the findings of the Open Rights Group report and stresses the support it gave to organisations during the pandemic.

ICO opinion on DPDI2 Bill

The ICO has published its opinion on the draft Data Protection and Digital Information Bill (No. 2). The Information Commissioner has said the bill "has moved to a position where I can fully support it". He welcomes a "positive package of reforms" which provides greater regulatory certainty for organisations. The ICO is particularly supportive of changes since the first draft to provisions which, it argued, would reduce its independence. It does, however, set out a list of clarifications it thinks are needed in the annex to the opinion.

ICO's Children's Code guidance updated to cover edtech

The ICO has updated its Children's Code guidance to cover edtech providers and services. The updates are intended to clarify when an edtech provider is covered by the Code. This includes services likely to be accessed directly by children, and those provided through schools. Schools are not in scope of the Children's Code as they are not Information Society Services providers.

Irish DPC expected to issue large fine to Microsoft

Microsoft has issued an investor statement suggesting the Irish Data Protection Commissioner will be fining it $425 million for data protection failings in relation to LinkedIn targeted advertising. The DPC issued a provisional decision in April which has not yet been finally announced. Microsoft has said it will contest the DPC's finding.

Separately, the FTC has fined Microsoft $20 million for alleged violations of COPPA relating to its Xbox gaming console and consent to the processing of under-13 year olds' personal data. The proposed order is subject to federal court approval but reportedly requires corrective measures to ensure Microsoft gets parental consent to the processing of personal data of under-13s, and improves its data retention processes for children's data.

Ofcom lowers incident reporting thresholds under NIS Regulations

Ofcom has lowered incident reporting thresholds for Operators of Essential Services (OESs) in the digital infrastructure sector in its NIS guidance. The changes took effect on 31 May and impact top-level domain name registries, domain name system resolver services, DNS authoritative hosting services and internet exchange points (IXPs) within scope of the NIS Regulations.

The revised guidance is for incidents to be reported where there is a service degradation of 25% for 15 minutes or more (rather than the previous50%). IXPs are also required to report incidents based on the loss of 50% of the total bandwidth capacity across all ports.  

Ofcom has also amended the section of its guidance which deals with enforcement, cross-referring instead to its Regulatory Enforcement Guidelines which were published in December 2022.

CMA consults on Meta's commitments on use of advertising data

The CMA is consulting on commitments offered by Meta to address the CMA's concerns that Meta might be abusing a dominant position in digital display advertising (DDA) services.

Under its agreements with its DDA customers, Meta can use the data it receives when providing DDA services for purposes beyond supplying those services. The CMA believes evidence points to Meta using such data, including competitor data, to develop and improve Facebook Marketplace.

Meta has offered commitments to address concerns which include:

• Implementing technical systems to prevent the use of certain competitor data to improve Facebook Marketplace. This will apply to advertisers which have opted out voluntarily or which have been proactively opted out by Meta and have not objected.
• Using all reasonable endeavours to ensure employees working on product development do not use data from provision of DDA or other services to improve or develop Meta's products in competition with specific products or services offered by advertisers.
• Undertaking compliance measures for relevant employees.

The CMA invites comments by 26 June 2023.

DHSC consultation on creating Secure Data Environments to access NHS data for research purposes

The DHSC is consulting on the creation of Secure Data Environments (SDEs) for accessing NHS data for research purposes. The intention is that a research SDE will be the primary way to access NHS data for research and external uses. NHS organisations will continue to manage the data and decide who can access it. The consultation closes on 23 June.

News as at 25 May 2023

Meta Ireland fined record €1.2bn and ordered to suspend EU data transfers

Following the intervention of the EDPB under the Article 65 GDPR process, the decision of the Irish DPC about Meta Ireland's transfers of personal data to the USA using Standard Contractual Clauses and supplementary measures has now been published, bringing the decade-long Schrems litigation to a head.  Its findings are that:

• In making the data transfers at issue, Meta infringes Article 46(1) GDPR as the transfers are made in circumstances which fail to guarantee an essentially equivalent level of protection to that under the GDPR.  None of the SCCs Meta has used, nor the supplementary measures it has put in place can compensate for the lack of protection and Meta cannot rely on derogations to the prohibition on transfers
• The data transfers must be suspended
• Meta must bring its processing operations into compliance with the rules on data transfers by ceasing unlawful processing, including storage in the US of unlawfully transferred EEA personal data
• Meta must pay a fine of €1.2bn.

The DPC underlines that the decision only binds Meta but it "exposes a situation whereby any internet platform falling within the definition of an electronic communications provider subject to the FISA 702 PRISM programme may equally fall foul of the requirements of Chapter V GDPR and the EU Charter of Fundamental Rights regarding their transfers of personal data to the USA". Given how broadly the FISA 702 provision can be interpreted, this could capture a whole swathe of organisations.  However, the DPC notes that the CJEU upheld the validity of SCCs as a legal instrument while emphasising the need to undertake a case-by-case analysis to determine whether or not transfers are lawful.  As a result, "it is not open to the DPC to make an order suspending or prohibiting transfers to the United States generally".

In other words, while this decision theoretically has wider application, in practice it only applies to Meta and it took ten years of litigation to reach this stage.  Meta and others will now have high hopes that signing up to the imminent US Data Protection Framework will resolve the problems around data transfers to the US. The DPF is likely to be agreed by the end of July, although NOYB (the organisation set up by Max Schrems) is hinting at further legal challenges.  However, this decision resonates beyond the US. It will be relevant for any transfers of personal data caught by the GDPR to countries which are not considered essentially equivalent under EU law.

The Irish DPC's decision does not take immediate effect.  Meta has up to 12 October 2023 before it needs to suspend transfers under the SCCs, and until 12 November to delete or move back to the EU the personal data unlawfully transferred to the USA.  The Irish DPC has reiterated that it does not agree with the decision the EDPB had required it to take and Meta has already confirmed it will appeal, which may delay matters further and would likely pause the enforcement of the DPC's decision. Meta has previously reportedly threatened to suspend its services in the EU altogether (something it denies), but, as NOYB notes, it has servers in the EU, and may move to a position where the majority of its European data is hosted in the EEA. However, hosting data in the EEA will not necessarily overcome all the concerns raised by EU regulators if Meta in the US can still access data stored in the EEA.

The decision does not directly apply in the UK although the UK rules on data transfers mirror those under the EU GDPR. In view of the tenor of UK Government's proposed data protection reforms, it seems unlikely that the UK will follow the full approach of the Irish DPC. However, we will need wait to see the ICO's response.

EU framework on cyber sanctions extended to 2025

The Council of the EU has extended the framework for imposing sanctions on people or entities carrying out or threatening cyberattacks which threaten the EU or its Member States to 18 May 2025.

IAB Europe publishes updated TCF

IAB Europe has published v2.2 of its Transparency and Consent Framework (TCF), intended to help the digital advertising industry comply with GDPR.  Key changes include:

• Removal of legitimate interests as a lawful basis for advertising and personalised content
• Additional information to be provided to end-users and more user-friendly language
• Standardisation of additional information about vendors and their processing operations so this information can be disclosed to end-users
• Transparency over the number of vendors seeking to establish a legal basis on the first layer of Creative Management Platform (CMP) user interfaces
• Specific requirements to facilitate users' withdrawal of consent. Publishers and CMPs will need to ensure users can resurface the CMP user interfaces and withdraw consent easily.

EDPB finalised guidelines on facial recognition technology in the area of law enforcement

The EDPB has adopted the final version of its guidelines on facial recognition in the area of law enforcement.  The guidelines stress that facial recognition tools must be used in strict compliance with the Law Enforcement Directive and only where necessary and proportionate under the EU Charter of Fundamental Rights.  The EDPB repeats its call for a ban of FRT in certain situations as expressed in its joint opinion with the EDPS.  Clarifications were added following consultation on the draft guidelines.

CNIL launches AI action plan

The CNIL has launched its action plan for addressing data protection in AI deployments.  It sets out a four-phase plan for understanding AI, supervising development, supporting innovation and system auditing.  It will be expanding its work on augmented cameras and to cover generative AI, large language models and derived applications, especially chatbots.

News as at 18 May 2023

European Parliament provisionally agrees AI Act negotiating position

The European Parliament has reached political agreement on its negotiating position on the EC's draft AI Act.  Formal adoption is expected on 14 June.  The proposal will then move to trilogues given the Council agreed its position in December 2022.  MEPs have suggested a number of potentially significant amendments to the Commission's proposal.

Unacceptable risk AI

An amended list of banned 'unacceptable risk' AI to include intrusive and discriminatory uses of AI systems such as:

• real-time remote biometric identification systems in publicly accessible spaces
• post remote biometric identification systems, with the only exception of law enforcement for the prosecution of serious crimes and only after judicial authorisation
• biometric categorisation systems using sensitive characteristics (eg gender, race, ethnicity, citizenship status, religion, political orientation)
• predictive policing systems (based on profiling, location or past criminal behaviour)
• emotion recognition systems in law enforcement, border management, workplace, and educational institutions
• indiscriminate scraping of biometric data from social media or CCTV footage to create facial recognition databases (violating human rights and right to privacy).

High-risk AI

Suggested changes would expand the scope of the high-risk areas to include harm to people's health and safety, fundamental rights, or the environment.  High-risk systems will include AI systems used to influence voters in political campaigns and in social media recommender platforms (with more than 45m users under the DSA).  High-risk obligations are more prescriptive, with a new requirement to carry out a fundamental rights assessment before use.  However, the European Parliament's proposal also provides that an AI system which ostensibly falls within the high-risk category but which does not pose a significant risk can be notified to the relevant authority as being low-risk.  The authority will have three months to object, during which time the AI system can be launched.  Misclassifications will be subject to fines.

Enhanced transparency measures

Providers of foundation model AIs would be required to guarantee protection of fundamental rights, health and safety and the environment, democracy and rule of law.  They would be subject to risk assessment and mitigation requirements, data governance provisions, and to obligations to comply with design, information and environmental requirements, as well as to register in the EU database. 

Generative AI model providers would be subject to additional transparency requirements, including to disclose that content is generated by AI.  Models would have to be designed to prevent them from generating illegal content and providers will need to publish summaries of copyrighted data used for training. They will also be subject to assessment by independent third parties.

Additional rights

MEPs propose additional rights for citizens to file complaints about AI systems and receive explanations of decisions reached by high-risk AI systems that significantly impact them.

REUL Bill amended to narrow scope

As widely reported in the media, the government has published amendments to the scope of the REUL Bill.  The sunset clause which automatically revoked EU-derived direct and secondary legislation has been replaced with a clause revoking the legislation explicitly set out in Schedule 1. This covers around 600 pieces of legislation, much of which is concerned with fishing, food and the environment.  In terms of data privacy, the following laws are listed in Schedule 1:

• Data Retention and Acquisition Regulations 2018 (S.I. 2018/1123) – Regulation 3 – these Regulations amend Parts 3 and 4 of the Investigatory Powers Act 2016 which provide for the retention of communications data by telecommunications and postal operators, and access to that data by public authorities, by bringing into force a code of practice.  Regulation 3 amends s22 of RIPA so that access to traffic or location data may only be authorised for the prevention of serious harm. This amendment is set to fall away under REUL.
• Council Decision (EU) 2019/682 of 9 April 2019 authorising Member States to ratify, in the interest of the European Union, the Protocol 1955 amending the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data – the whole decision This relates to an amendment to Convention 108. The Decision authorised Member States to ratify the amended protocol insofar as its provisions fell within the exclusive competence of the Union.  The Council of Europe is not an EU organisation.  The UK signed up to the amended Convention 108 in October 2018.
• Decision (EU) 2019/2071 of the European Parliament and of the Council of 5 December 2019 appointing the European Data Protection Supervisor – the whole Decision

Even as amended, the Bill still stands to have a considerable impact on the UK's legal framework but changes beyond those laws being revoked under Schedule 1 will take more time to take effect and will evolve, potentially over many years.

Keeling Schedules published for DPDI2 Bill

The government has published Keeling Schedules to show proposed changes to the UK GDPR, Data Protection Act 2018, and PECR under the Data Protection and Digital Information Bill 2.  The schedules show the planned changes under the DPDI Bill which is helpful given it operates largely by amending existing provisions rather than by restating the resulting new law.

Publication of Irish DPC Meta decision imminent

The Irish DPC has reportedly sent Meta its decision on the issue of the validity of its data transfers to the USA under SCCs, and whether its supplementary measures are sufficient to afford the data adequate protection.  Meta will be given some time to prepare for release of the decision which is likely to happen on 22 May.

Government publishes guidance on security of connected places (smart cities)

The government has published guidance on the security of connected places or smart cities.  The collection of guidance applies to a number of stakeholders including senior leadership, decision makers and managers.  It also applies to IT professional and cybersecurity leads, information managers, processors and users.  The guidance covers a range of design and management issues including protection of a connected place's data, managing incidents and response and recovery.  It is intended to guide security decisions and processes on the design, implementation and management of a connected place for those buying or operating connected places technologies.

News as at 11 May 2023

ECJ ruling on interpretation of 'right to a copy' under GDPR

The ECJ has published a judgment on interpretation of the right of access under Article 15 GDPR and, specifically, the meaning of "copy" and "information" in Article 15(3).  The reference was made from Austria and asked the court about the scope of the right and whether the obligation to provide a "copy" is fulfilled by the controller supplying a summary table or whether the right entails the transmission of document extracts, entire documents and extracts from databases in which the personal data is reproduced. 

The ECJ held that:

• "Copy" in Article 15(3) GDPR, means the data subject must be given a faithful and intelligible reproduction of relevant data.  The right entails the right to obtain copies of extracts from documents, entire documents or extracts from databases containing the relevant data, if the provision of the copy is essential in order to enable the data subject to exercise their GDPR rights effectively, taking into account the rights and freedoms of others.
• The term "copy" does not relate to a document as such but to the personal data it contains which must be complete.  Because the information must be provided in a way which is intelligible and easy to understand, the context in which the data is processed, for example, where there is an absence of information, can be an essential part of providing the copy.
• "Information" in Article 15(3) relates exclusively to the personal data of which the controller must provide a copy.

Mere infringement of the GDPR does not give rise to a right to compensation, says ECJ

The ECJ has ruled in Österreichische Post case, that mere infringement of the GDPR does not give rise to a right to compensation, however, there is no requirement for non-material damage suffered to reach a certain threshold of seriousness in order to confer a right to compensation.

The Austrian Supreme Court referred questions around the right to compensation following a claim for non-material damages made by an individual against the Austrian postal service after it collected information on the political affinities of Austrian citizens and used that to create targeted address lists without providing the data subjects with required information.

The ECJ held that the right to compensation under 82(1) GDPR, is clearly subject to three cumulative conditions: infringement of the GDPR; material or non-material damage resulting from the infringement; and a causal link between the two.  Accordingly, not every infringement gives rise, by itself, to a right to compensation as it may not result in damage.  The ECJ went on to hold that there is no requirement for non-material damages to reach a certain level of seriousness in order to give rise to a right to compensation.  It is for Member States to assess damages in accordance with applicable national rules.

Advocate General opinion on administrative fines

The Advocate General of the ECJ has published an opinion relating to the long-running Deutsche Wohnen litigation. 

The Berlin Court of Appeal asked the ECJ:

• whether a GDPR fine can be imposed on a legal entity without first establishing the liability of a natural person, and
• whether, in order to attract a fine, a breach must be intentional or negligent.

The AG opined that it is not necessary to establish the liability of a natural person, and that data protection regulators cannot issue administrative fines unless the relevant breach was intentional or negligent.  In other words, there is no strict liability for breaches of the GDPR.  If followed by the ECJ, this will have wider implications for German law where it goes further than EU law.

ICO launches beta testing of Innovation Advice service

The ICO has launched public beta testing of its free Innovation Advice service designed to answer specific data protection questions.  The service is open to any size of organisation across all sectors, planning to use UK personal data to drive a new or innovative product, service or business model that is not yet live.  Questions can be asked at any stage of development prior to launch.  The ICO aims to respond to queries within 10-15 days. 

FTC proposes ban on Meta monetising minors' data

The US Federal Trade Commission is proposing to expand its 2020 privacy order against Meta.  Alleging that Facebook has not complied with elements of the order, which related to the Children's Online Privacy Protection Act Rule, the FTC is now suggesting Meta platforms be restricted from monetising personal data of under-18s or using it for commercial gain once they turn 18.  The FTC is also suggesting Meta should have to get independent confirmation that its privacy practices comply with relevant law, and disclose use of and get consent to any future uses of facial recognition technology.

There is debate over the extent to which the original order can be amended and Meta will be fighting the FTC's latest complaint, accusing it of being a "political stunt".

ENISA report on standardisation of cyber security for AI

ENISA (the European agency for cyber security) has published a report Cybersecurity of AI and standardisation.  The report provides an overview of existing and proposed standards to prepare for the EU's AI Act.  Key recommendations include:

• developing standardised AI terminology for cyber security
• developing technical guidance on how existing standards relating to software cyber security should be applied to AI
• considering the inherent features of Machine Learning in AI.  Risk mitigation should be considered by associating hardware/software components to AI; reliable metrics; and testing procedures
• promoting the cooperation and coordination across standards organisations' technical committees on cyber security and AI to help address concerns in a coherent manner.

News as at 4 May 2023

European Parliament reaches provisional political agreement on AI Act position

The European Parliament continues to work on its compromise position for the draft AI Act and has reportedly reached provisional political agreement.  According to Euractiv, the latest draft proposes distinguishing between foundation models – AI trained on broad data at scale, designed for general output but adaptable to a wide range of tasks (like ChatGPT) – and general purpose AI which can be used and adapted to purposes for which it was not intentionally or specifically designed.  The proposal is that foundation models would be subject to stricter requirements, for example, testing, risk mitigation, data governance and maintenance requirements.  Generative AI foundation models would also be subject to additional transparency requirements.  There are also moves to share responsibility across the AI value chain, and a proposal for the European Commission to develop non-binding standard contractual clauses for particular sectors.

The Parliament has reportedly added a layer to the high-risk classification whereby a model which falls within Annex III would only be deemed to be high risk where it posed a significant risk of harm to health, safety or fundamental rights.  AI used to manufacture critical infrastructure will be categorised as high risk if it entails a severe environmental risk.  Recommender systems of VLOPs (under the DSA) will also be high risk.

Once the Parliament's compromise text is adopted, the AI Act will move to trilogues.

DRCF annual report and 2023/4 workplan

The Digital Regulatory Cooperation Forum has published its workplan for 2023/24.  There will be a particular focus on online safety and data protection, promoting competition and data protection, illegal online financial promotions, supporting effective governance of AI and algorithmic systems, enabling innovation in relevant regulated industries, digital assets, and, more broadly, on joint horizon scanning and cooperation.

Meta prepares for bad news on data transfer decision

Meta has allowed for significant fines and a potential halt on its EU-US data transfers according to filings with the US Securities and Exchange Commission.  Meta has provided for the Irish Data Protection Commissioner to rule that its use of Standard Contractual Clauses and supplementary measures do not sufficiently protect EU personal data transferred to the USA.  A decision is expected by 12 May.  There is likely to be a three month compliance period but if the EU-US Data Protection Framework is not agreed by the end of that period, Meta has warned it may need to cease a number of its EU services including the Facebook and Instagram platforms.

EDPB guidance for small businesses

The EDPB has published a Data Protection Guide for small businesses as part of its awareness-raising programme.  It covers the basics of data protection including cyber security, data subject rights and data breaches.  It also includes links to materials for SMEs developed by Member State data protection regulators.

AG Opinion on technical and organisational measures

AG Pitruzzella has delivered an opinion on a reference to the ECJ by Bulgaria.  The questions arose following a data breach of data held by a public body which resulted in claims made for non-material damage as a result of worry and fear that data might be misused in future.  The questions related to appropriate security measures, beach liability and compensation for non-material damage.

Points of interest include the AG's opinion that:

• The question of whether technical and organisational measures are appropriate involves a balancing exercise between the economic interests and technological capacity of the controller and the rights of the data subject, taking into account the principle of proportionality.
• The mere occurrence of a data breach does not entail that technical and organisational measures were not appropriate but the burden of proving that they were is on the controller.  This process may be made easier by compliance with codes of conduct and certification.
• The fact that the breach was committed by a third party does not in itself exempt the controller from liability.  The controller must demonstrate they were not in any way responsible for the event causing the damage.
• Fear of possible future misuse of data will only constitute non-material damage giving rise to compensation where there is actual and certain emotional damage.  Mere trouble or inconvenience is not sufficient.

BEIS Strategy Committee report on worker rights

The Business, Energy and Industrial Strategy Committee has published a report on workers' rights and protection.  Among the recommendations are that the government introduce a right for workers to be consulted and notified when technology will result in their surveillance, and to consult on an enforceable code of practice on the use of surveillance technology in the workplace.

News as at 27 April 2023

Data Protection and Digital Information Bill latest

The Data Protection and Digital Information Bill had its second reading in the Commons.  Parliament has issued a call for written evidence on the DPDI2 Bill, calling on those with relevant experience or special interest to submit evidence as soon as possible for consideration by the House of Commons Public Bill Committee which is expected to report by 13 June 2023.  This follows the Bill passing its second reading in the Commons and the publication of a research briefing by the House of Commons Library at the end of March.

Report from EEA DPA task force on NOYB complaints

The EEA Data Protection Authorities (DPAs) have published a report on the outcome of the work carried out by the task force set up to look into the 101 complaints filed by NOYB following the Schrems II decision.  The report sets out the common positions of the task force members and on the first cases concerned.  The task force was set up to promote a consistent approach to handling the identical complaints which were filed relating to the transfer of personal data to the USA made by Google Analytics and Facebook Business Tools. 

The views expressed in the report do not represent the position of the EDPB, nor do they prejudge the outcomes of remaining complaints.  Key findings include:

• It is not possible to enter into Standard Contractual Clauses and give them retroactive effect to legitimise transfers which happened prior to the conclusion of the SCCs.
• Supplementary measures must be set up on a case by case basis.  Anonymisation is not suitable where it takes place following the export of the data, nor where the importer as provider of the tool has legal obligations to provide cryptographic keys.
• Controllers must be able to demonstrate accountability and compliance with the GDPR.  This includes being able to point to a pre-installation compliance check. Compliance is a duty on the controllers, but also on the providers of the analytics tools who may be both processors or controllers.
• Website operators are to be considered as controllers for the processing of personal data of website visitors by analytics tools.  The degree of liability for the processing operations must be determined on a case by case basis, taking into account the different functions and options selected for the relevant analytics tool.

ICO reprimands Surrey and Sussex police forces

The ICO has issued reprimands to Surrey and Sussex Police for using an app that recorded phone conversations and unlawfully processed personal data.  In line with the policy of not issuing large fines to public organisations, the ICO has chosen to issue the reprimands in place of what could have been £1m for each force.  The app was available to staff and recorded all incoming and outgoing phone calls.  1,015 members of staff downloaded the app and more than 200,000 phone conversations were subsequently recorded.  Those downloading the app as well as those making calls, were unaware that the calls would be recorded.

EDPB sets up task force on ChatGPT

Following concern from multiple Member State regulators about ChatGPT and potential non-compliance with the GDPR, the EDPB has set up a dedicated task force to foster cooperation and exchange information on possible enforcement actions conducted by data protection authorities.  The Italian regulator, the Garante, has lifted its ban on the chatbot subject to OpenAI making changes to its privacy practices, including around transparency and lawful basis.

ICO response to government AI White Paper

The ICO has responded to the government's AI White Paper consultation.  It broadly supports the government's aims, including the AI sandbox and the overall sector-based approach, however, it does raise a few issues including:

• it suggests that the fairness principle apply not only to the use of AI but also to its development
• concerns around regulator funding
• potential issues with different regulatory approaches and any potential clash with data protection regulation.

The ICO stresses the important role of the Digital Regulation Cooperation Forum and recommends that the government prioritise research into the type of guidance and the Sandbox activities that AI developers would most value.

ICO blog on use of live facial recognition by Facewatch

The ICO has published a blog explaining that it is closing its investigation into the use of live facial recognition by Facewatch.  Facewatch's LFR product uses LFR to help businesses (usually shops) protect staff, customers and stock by spotting 'subjects of interest'.  The ICO had raised concerns about the product. It agreed that there was a legitimate interest for its use (to prevent crime) but had issues including in relation to the amount of personal data processed. The ICO said Facewatch had made improvements, including by reducing the personal data collected, and appointing a DPO.  As a result the ICO is closing its investigation but it warned use of LFR would be assessed on a case by case basis.

EDPB adopts Article 65 decision on Meta transfers

The EDPB has adopted an Article 65 dispute resolution decision concerning a draft decision by the Irish Data Protection Commissioner on whether or not Meta is lawfully transferring personal data to the USA.  The content of the decision has not been made public and the Irish DPC must now adopt its final decision within one month.  The EDPB will publish its decision after the Irish DPC has notified its decision to Meta Ireland.

MEPs vote against EU-US Data Protection Framework

The European Parliament LIBE Committee has adopted its rejection of the proposed EU-US data protection framework as expected.  This is unlikely to derail the adoption process as the European Parliament does not have a binding vote in the approval process. 

EDPB adopts final Guidelines on data subject rights

The EDPB adopted final Guidelines on data subject rights – Right of access.  The guidelines analyse the right of access and set out clarification on its scope, the information the controller has to provide to the data subject, the format of the access request, the main modalities for providing access, and the notion of manifestly unfounded or excessive requests.  Some minor clarifications were added during the consultation phase.

News as at 6 April 2023

UK government publishes AI White Paper

The UK government has published a White Paper which sets out a framework for the UK's approach to regulating AI as part of the National AI Strategy and following a 2022 consultation. The government has decided not to legislate to create a single function to govern the regulation of AI.  It has elected to support existing regulators in developing a sector-focused, principles-based approach.  Regulators including the ICO, the CMA, the FCA, Ofcom, the Health and Safety Executive and the Human Rights Commission will be required to consider the following five principles to build trust and provide clarity for innovation:

• safety, security and robustness
• transparency and explainability
• fairness
• accountability and governance
• contestability and redress.

UK regulators will publish guidance over the next year which will also include practical tools like risk assessment templates, and standards. The guidance will need to be pro-innovation, proportionate, trustworthy, adaptable, clear and collaborative, underpinned by the following four core elements of the government's AI framework:

• defining AI based on its unique characteristics to support regulator coordination
• adopting a context-specific approach
• providing a set of cross-sectoral principles to guide regulator responses to AI risks and opportunities. The government expects to introduce a statutory duty on regulators to have due regard to the five AI principles, following an initial period
• delivering new central government functions to support regulators in delivering the AI regulatory framework, including by horizon scanning and supporting an iterative regulatory approach.

Further elements to be considered by regulators are set out in Annex A.

The government also supports the findings of the Vallance Review published earlier in March, which looked at the approach to regulating emerging and digital technologies.  With regard to AI, Sir Patrick Vallance recommended:

• the government work with regulators to develop a multi-regulator sandbox to be operational within six months, supported by the Digital Regulatory Cooperation Forum (DRCF) comprising Ofcom, the ICO, the CMA and the FCA
• the government should announce a clear policy position on the relationship between intellectual property law and generative AI to provide confidence to innovators and investors.

Interestingly, while providing for a regulatory sandbox, the AI White Paper does not set out further policy on the relationship between IP and generative AI although the Intellectual Property Office is working on a code of practice which is expected to be ready by the Summer.

The government has also published:

• a report setting out evidence to support the analysis of impacts for AI governance (supported by the CDEI which confirmed public engagement)
• a letter from DSIT to the DRCF setting out its role under the AI framework of facilitating cross-regulator engagement on developing AI framework principles, horizon scanning and establishing a cross-sectoral AI sandbox.

The government will monitor the effectiveness of this policy and of the resulting guidance, and consider whether it is necessary to introduce legislation to support compliance with the guidance.  It intends to publish an AI regulatory roadmap which will set out plans for establishing central government functions for the four elements of the AI framework.  The government also plans to publish a draft AI risk register for consultation, an updated roadmap and a monitoring and evaluation report some time after March 2024.

EDPS joining EDPB coordinated enforcement action re DPOs

The European Data Protection Supervisor will be joining the EDPB's coordinated enforcement action against DPOs.  While the EDPB will focus on the role of the DPO at national level in the public and private sectors, the EDPS will concentrate on the role of DPOs in EU institutions. 

Meta's plans for EU targeted advertising compliance taking shape

Meta has announced that it is switching its lawful basis for processing data for behavioural adverts from contractual necessity to legitimate interests from 6 April.  This is as a result of the Irish Data Protection Commissioner's compliance order following its conclusion that Meta could not rely on contractual necessity for this type of processing on its Facebook and Instagram platforms.  Meta also said "Relevant users will also be notified of this change, which will give them additional options around how we process certain information to serve behavioural advertisements".

The Wall Street Journal reports that the "additional options" will allow EU users to submit an online opt-out form electing to receive targeted advertising based on broad categories of data.  The opt-out request would then be reviewed before being actioned.

ICO looks at generative AI as Garante bans ChatGPT

The ICO has published a list of eight questions for developers and users of Generative AI to ask themselves in response to the rise of generative AI and large language models (LLMs), and in the context of the signature by academics of a letter calling for a six-month moratorium on the development of AI, as well as the recently reported ChatGPT data breach.

The ICO reminds organisations developing or using generative AI that they need to take a data protection by design and default approach and to be aware that using personal data to train or develop generative AI will engage data protection law, whether or not the data comes from publicly available sources. They should ask themselves the following questions:

• What is the lawful basis for processing personal data?
• Are you a controller, joint controller or processor?
• Have you done a DPIA to assess and mitigate risks?
• How will you ensure transparency?
• How will you mitigate security risks?
• How will you limit unnecessary processing?
• How will you comply with individual rights requests?
• Will you use generative AI to make solely automated decisions which will have legal or similarly significant effects?

Meanwhile in Italy, the Italian data protection regulator, the Garante, announced an immediate ban on ChatGPT and an investigation into its parent company OpenAI's GDPR compliance.  The Garante says OpenAI does not have a lawful basis for processing such large amounts of personal data to train ChatGPT, it does not verify the age of users and so exposes minors to unsuitable answers, there are transparency issues, and there are security concerns following a recent data breach.  OpenAI has been given 20 days to respond with a compliance proposal or face a fine.  While disagreeing with the Garante's findings. OpenAI has disabled access to ChatGPT in Italy.  German regulators are also reportedly considering their response pending further information from the Italian regulator.

ICO sets out priorities for FOIA complaints

The ICO has set out a prioritisation framework for handling complaints made against public authorities under the Freedom of Information Act (FOIA) and the Environmental Information Regulations. It will prioritise complaints which have a significant public interest, assessing them with reference to whether:

• there is a high public interest in the information requested or a new, unique or high profile issue which needs to be looked into quickly
• groups or individuals are likely to be significantly affected by the information requested
• prioritisation by the ICO would have significant operational benefits or support public authorities (for example where it might provide the basis for guidance for public authorities)
• the requester aims to use the information for the benefit of the public, for example, awareness raising of a significant issue.

TikTok fined £12.7m for misusing children's personal data

The ICO has fined TikTok Technologies UK Limited and TikTok Inc (TikTok) for a number of data protection breaches relating to children's data.  These included allowing more than one million UK children under 13 to use its platform contrary to its terms of service, processing the personal data of under-13s without personal consent, and not taking adequate age verification measures including action to remove underage children from the platform.

The ICO reduced the fine which was originally set at £27m after taking into account representations from TikTok and not pursuing the provisional finding relating to unlawful use of special category data.

DPA immigration exemption still non-compliant with DPA 18, says High Court

The High Court has ruled the immigration exemption in the Data Protection Act 2018, remains unlawful and must be made clearer, saying previous actions by the government to make the exemption comply with the UK GDPR have not resolved the issue.  The court said the government needs to make it a legal requirement to comply with a code or policy setting out the safeguards and tests to be applied before using the immigration exemption.  An obligation merely to "have regard to" it is insufficient.

Non-EEA controllers must potentially notify multiple SAs of data breaches, says EDPB

The European Data Protection Board has adopted final revised Guidelines on Personal data breach notification under the GDPR.  Non-EEA controllers will be dismayed to see that the guidelines advise notifiable breaches must be notified not just to the supervisory authority in the country of the controller's representative, but to the SA of each Member State in which affected individuals live.  The EDPB points out that the one-stop-shop mechanism is not engaged by the presence of a representative in a Member State.

News as at 30 March 2023

News as at 23 March 2023

ICO publishes updated guidance on AI and data protection

In line with its ICO25 strategy, the ICO has published updated guidance on AI and Data Protection, following requests for clarification on fairness requirements when using AI.  The guidance has been restructured and a number of sections have been expanded or added.  It covers:

• accountability and governance implications of using AI
• transparency
• lawfulness
• accuracy and statistical accuracy
• fairness (including bias and discrimination and the impact of Article 22 UK GDPR on fairness)
• individual rights.

What's new?

• The guidance contains new content on things to consider as part of a DPIA.
• There is a new stand-alone chapter looking at the transparency principles as they apply to AI although the main guidance on transparency and explainability is included in the existing guidance on Explaining Decisions Made with AI.
• The section on lawfulness has been moved into a stand-alone chapter with content added on AI and inferences, affinity groups and special category data.
• The section on accuracy and statistical content has been moved to a stand-alone chapter but the content has not changed.

Similarly the fairness section is now stand-alone and this has been added to in order provide information on:

• data protection's approach to fairness and how that applies to AI with a non-exhaustive list of legal provisions to consider
• the difference between fairness, algorithmic fairness, bias and discrimination
• high level considerations when thinking about evaluating fairness and inherent trade-offs
• processing personal data for bias mitigation
• technical approaches to mitigate algorithmic bias
• how solely automated decision-making and relevant safeguards are linked to fairness and key questions to ask when considering Article 22 of the UK GDPR
• a new Annex A on fairness in the AI lifecycle from problem formulation to decommissioning, including an explanation of different sources of bias that can lead to unfairness and possible mitigation measures
• an update to the glossary with new definitions.

The ICO says the updated guidance is in line with the government's ambitions to adopt a pro-innovation approach to AI with embedded principles of fairness. The ICO expects further updates to the guidance will be required to keep up with technological and legislative developments.  

Separately, it's been reported that the ICO will set up a hotline to provide guidance on emerging technologies, initially as a pilot project, in order to help companies apply legislation to their technologies.

CNIL's 2023 enforcement plan

As we discuss in more detail here, the CNIL has listed its top four priorities for 2023:

• The use of "augmented" cameras by public bodies.
• The use of the FICP database by French banking institutions.
• Healthcare institutions' access to digital medical records.
• The use of tracking technologies by mobile apps.

Dutch and Austrian decisions on Facebook tracking practices

The Amsterdam District Court has held that Facebook Ireland breached data protection law when processing the personal data of Dutch Facebook users between 1 April 2010 to 1 January 2020.  Personal data was processed for advertising purposes in breach of lawful basis, transparency and information requirements.  Facebook was, however, permitted to have placed the obligation to inform users about third party cookies, onto the third party websites operators.  The issue before the court was whether or not Facebook had acted lawfully – compensation was not available.

Separately, the Austrian DPA has published a decision in response to one of the NOYB complaints saying that Facebook's tracking pixel tools breach the GDPR and violate the Schrems II decision on data exports.  The DPA said that the same principles which led to its declaration that the use of Google Analytics is unlawful, apply to the Facebook Login and Meta Pixel tools.  These tools use data which is inevitably transferred to the USA.  The DPA advises EU website operators not to include any tools from Meta on their websites.  No fines were imposed.

EDPB co-ordinated enforcement action on role of DPOs

The EPDB has announced its second annual co-ordinated enforcement action, which will look at the designation and position of Data Protection Officers (DPOs).  26 Data Protection Authorities are expected to take part in the process and will send questionnaires to DPOs in their respective jurisdictions.  They will be focusing on issues including independence, appointment process and other GDPR requirements.  Findings will be analysed to decide whether there is a need for further action and the EDPB will publish a report.

ICO reduces Easylife Ltd fine

The ICO has reduced the fine handed down to Easylife in October 2022, from £1.35m to £250,000 for using customer purchase data to profile and predict their medical conditions, and then target them with health-related products without consent.  Easylife was separately fined £130,000 for making unsolicited marketing calls.  The ICO found that Easylife profiled customers making purchases from its Health Club catalogue in order to target them with health-related items.  This meant the company was processing 'invisible' health data – people were unaware that their personal data was being used for that purpose.

Easylife has since stopped the unlawful processing of special data.  The ICO has reduced the monetary penalty following an appeal, saying "Having considered the amount of the penalty again during the course of the litigation, in light of issues raised by Easylife, I considered that a reduction was appropriate".

News as at 16 March 2023

Data Protection and Digital Information (No.2) Bill published

The newly created Department for Science, Innovation and Technology (DSIT), has published the Data Protection and Digital Information (No.2) Bill (DPDI2).  The original Bill (DPDI1) was published in July 2022 and then put on hold in September under the Liz Truss government to allow for further consideration.  DPDI2 is substantially similar to its predecessor with largely minimal changes and clarifications.  Unfortunately, it still operates by amending existing legislation rather than producing a complete piece of draft new legislation which makes it hard to digest.

Notable amendments include:

• Definition of scientific research – DPDI1 included a definition of scientific research lifted largely from the UK GDPR recitals.  Under DPDI2, the definition has been further clarified to specify that it applies whether the scientific research is "carried out for commercial or non-commercial purposes" as well as whether it is publicly or privately funded.  There is a non-exhaustive list of types of scientific research which has been moved from the recitals to the body of the legislation. Further clarification is added to the concept of research into public health which is only included as scientific research where it is in the public interest.  As before, controllers are not required to notify data subjects that their data is being used for research, archival or statistical purposes where the data has been collected directly from the data subject and to notify them would be impossible or require disproportionate effort.

• Recognised legitimate interests – DPDI1 provided that in cases of "recognised" legitimate interests, there would be no requirement to carry out a balancing exercise against the rights and freedoms of individuals.  The types of interests which were recognised under DPDI1 were public interests including national security, defence and crime prevention.  DPDI2 does not change this approach but it moves a non-exhaustive list of the types of processing which may be necessary for the purposes of a legitimate interest from the recitals of the UK GDPR, to the body of the new Bill.  This includes direct marketing; intra-group transfers where necessary for internal administrative processes; and processing necessary for ensuring the security of networks and information systems.  The Explanatory Notes further clarify that any legitimate commercial activity can be a legitimate interest provided the processing is necessary and subject to meeting the requirements of the balancing test.

• Records of processing (ROPAs) – DPDI1 aimed to simplify the current UK GDPR requirement to keep ROPAs, not only in terms of the information to be recorded, but by providing an exemption for SMEs not carrying out high-risk processing.  DPDI2 goes significantly further.  It removes the SME exemption and provides instead that ROPAs are only required where high-risk processing is being carried out.  The ICO is required to publish examples of processing likely to pose a high risk to the rights and freedoms of individuals. 

• Automated decision making – DPDI1 introduced a new definition of solely automated decision-making to the effect that it was solely automated processing involving no human intervention.  DPDI2 adds that when considering whether or not there is meaningful human involvement in taking a decision "a person must consider, amongst other things, the extent to which the decision is reached by means of profiling".  There is provision for the Secretary of State to make regulations on this subject.  This addition  is somewhat unclear as to what the role of profiling plays and whether, in itself, it indicates an automated decision subject to Article 22 restrictions. 

• International data transfers – DPDI1 introduced a new data protection test for assessing adequacy.  This has not changed the government has further clarified that transfer mechanisms lawfully entered into before the new Bill comes into effect, will continue to be valid and can be relied on going forward so there will be no need for updates. 

• PECR, direct marketing and cookies – the provision of soft opt-in for direct marketing for non-commercial activities and other changes introduced under DPDI1 remain, including a new duty on providers of public electronic communications networks to notify the ICO of any reasonable grounds of suspicion of unlawful direct marketing, with penalties for non-compliance. The ICO is required to publish guidance on what constitutes reasonable suspicion, and the Explanatory Notes make it clear that this does not constitute a monitoring duty or an obligation to intercept or inspect communications.  There are no changes to DPDI1 proposals on cookies.  Significantly increased fines for breach of PECR equivalent regulations are also retained.

The government has also published a summary of key EHCR issues under the Bill and information standards for health and social care. It remains confident that nothing in DPDI2 will jeopardise EU adequacy.

EU Council circulates compromise Cyber Resilience Act text

Euractiv has seen a new compromise text for the Cyber Resilience Act published by the Swedish presidency of the EU Council.  It suggests that changes are not particularly significant and that some of the more controversial elements have not yet been amended.  There is clarification on interaction with the AI Act and General Product Safety Regulation, a new article mandating Member States to put appeal procedures in place for product manufacturers to challenge the decision of accredited auditors, and clarification around categories of penalties.

Norwegian DPA follows others on Google Analytics

The Norwegian regulator is the latest DPA to find (on a preliminary basis) that use of Google Analytics breaches GDPR rules on data transfers.  A formal decision is likely at the end of April. The DPA recommends use of alternative tools. 

Damages awarded for covert recording and publication of naked images

The High Court awarded general damages of £60,000 plus special damages in respect of claims including infringement of privacy and misuse of private information.  The claims were made after the defendant covertly recorded naked images of the claimant and then published them on a website alongside a photograph of her face.  The court agreed that the knowledge these images had been published online led to the claimant suffering chronic PTSD and to a personality change. 

Irish DPC publishes 2022 annual report

The Irish DPC has published its 2022 annual report which sets out the significant role the Irish Data Protection Commission plays in enforcing the GDPR.  Over the year, the DPC concluded 17 large-scale investigations and issued fines of more than €1bn, representing two thirds of the financial penalties imposed for GDPR breaches in the EU.  This is in addition to dealing with beach notifications, cross-border and national complaints, and carrying out direct marketing investigations.

TikTok announces data localisation measures

TikTok has announced its plans to host EU user data on servers in Ireland and Norway and to have any data transfers outside the EU vetted by an independent third party.  The proposals are similar to those being introduced in the US under Project Texas.  TikTok will also introduce security gateways to enhance data access control by determining employee access to EU user data, and work to incorporate privacy enhancing technologies.

ICO publishes resources for product designers

The ICO has published guidance to help product and UX designers, product managers, QA testers and software engineers embed data protection into their products and services by design.  The guidance sets out key considerations for each stage of product design up to post -launch.

European Parliament finalises position on Data Act

The European Parliament has agreed its negotiating position on the EC's draft Data Act.  Suggested amendments include:

• clarifications of the types of data in scope
• strengthening trade secret protection for data holders
• clarifying provisions on switching cloud providers
• extending the fairness check which prevents large companies from imposing unfair contractual terms to all companies regardless of size
• clarifying what constitutes a public emergency allowing public bodies to request access to privately held data and allowing for fair remuneration for that access
• giving the European Data Innovation Board a role in coordinating enforcement of the Regulation.

Once the Council agrees its final position, trilogues will begin.

News as at 2 March 2023

EU-US adequacy agreement a step closer following qualified support from EDPB

The EDPB  has adopted its non-binding Opinion on the adequate protection of personal data under the EU-US Data Privacy Framework (DPF).  In summary, the EDPB welcomes improvements as compared with the Privacy Shield, in particular, the recognition of the principles of necessity and proportionality, and the enhanced oversight and redress regime.  However, it also expresses a number of concerns, recommending the Commission seek clarification, and underlines that the effectiveness of the framework will depend on the extent to which it is followed through in practice.  In other words, the EDPB is not dismissing the DPF nor seeking to block the EU-US adequacy decision, but neither is it giving unqualified support.

General data protection aspects

The EDPB comments that the DPF Principles have not changed significantly from those under the Privacy Shield.  As a result, some of the issues of concern under the Privacy Shield remain, including those relating to the rights of data subjects, the absence of key definitions, lack of clarity around application to processors and a broad exemption for publicly available information.  The EDPB is also concerned about protections for onward transfers, and the fact that protections in around automated decision-making, profiling and AI technologies tend to be sector specific.  The EDPB says in these areas, rules are needed to provide sufficient safeguards, including the right for the individual to know the logic involved, to challenge the decision, and to obtain human intervention where the decision significantly affects them.

The EDPB stresses the importance of effective oversight and enforcement and underlines the need for compliance checks.  The EDPB says it will be monitoring these aspects, and the effectiveness of redress mechanisms (many of which are the same as those in the Privacy Shield) closely, including in the context of periodic reviews.

Access to EU personal data by US public authorities

The EDPB recommends that the Executive Order 14086 (EO) be accompanied by updated policies and procedures across all US intelligence agencies.  It recommends the Commission assess these and share their assessment with the EDPB.  The EDPB says the EO represents a "significant improvement" by introducing additional safeguards and the concepts of necessity and proportionality into the US legal framework on signals intelligence.  It also finds that the proposed redress mechanism for EU citizens alleging unlawful use of their data by US public bodies, to be "significantly improved" compared with the Ombudsperson mechanism under the Privacy Shield.  However, the EDPB sees a need for further clarification on questions in particular relating to "temporary bulk collection" and to the further retention and dissemination of bulk collection data. 

The EDPB's focus is on the holistic approach to the safeguards and it raises a number of concerns about particular aspects of the US bulk data collection regime under FISA and Executive Order 12333.  It also raises concerns about the practical functioning of the Data Protection Review Court which, it says, will require monitoring by the Commission to ensure it is not routinely dismissing claims.

Review and monitoring

The EDPB concludes that the EO provides "substantial improvements" compared to the previous framework but asks for its concerns to be addressed and for the Commission to provide requested clarifications and ongoing monitoring of the implementation of the DPF and the safeguards it provides.  It also says it expects the Commission to stick to its commitment to suspend, repeal or amend the adequacy decision on grounds of urgency if necessary.

Full steam ahead?

Despite expressing some concerns, the EDPB's Opinion does not contain anything likely to hold up a new EU-US adequacy decision and, notwithstanding the disapproval of the European Parliament's LIBE Committee, we should see the decision approved shortly.

European Commission to propose legislation to harmonise GDPR enforcement

The European Commission has published a call for evidence regarding its plans to introduce legislation to further harmonise GDPR enforcement by national regulators.  The legislation is likely to harmonise administrative procedures and cooperation mechanisms for cross-border cases. The call closes on 24 March 2023.

EDPB sets out 2023/23 work programme

The EDPB has adopted its work programme for 2023/24.  The programme is based on the EDPB's strategy to 2023, and grouped around four pillars.  Broadly we can expect the following guidelines on a wide range of issues including:

• data subject rights of access
• legitimate interests
• children's data
• data breach notification
• blockchain
• interplay between the AI Act and the GDPR
• use of facial recognition technology by law enforcement
• use of social media by public bodies
• use of data transfer tools.

The EDPB will also focus on:

• compliance mechanisms for controllers and processors
• resources for SMEs
• co-ordinating the enforcement framework
• ensuring consistent decision making by national regulators
• encouraging use of the full range of enforcement mechanisms
• collaborating with non-EEA regulators.

EDPB adopts final guidelines and report on one-stop-shop Articles 17 and 21

The EDPB has adopted final guidelines on:

• The Interplay between the application of Article 3 and the provision on international transfers in Chapter V GDPR – these are intended to assist controllers and processors when identifying whether a processing operation constitutes an international transfer.
• Certification as a tool for transfers – these complement guidelines 1/2018 on certification.
• Guidelines on deceptive design patterns in social media interfaces – practical recommendations for designers and users of social media platforms on how to assess and avoid deceptive design patterns in social media interfaces that infringe on GDPR requirements.

The EDPB also published a one-stop-shop case digest which looks at thematic issues from one-stop-shop decisions relating to the Article 17 right to erasure and the Article 21 right to object.  The report summarises the key issues and outcomes from the decisions at a very high level and contains links to the relevant EDPB decisions.

ICO calls on accountants to help SME clients with data protection compliance

The ICO has called on UK accountants to help their SME clients establish compliant data protection practices.  It sets out a list of seven questions which accountants can ask.  These cover basic compliance issues including security measures, SARs, data beaches, privacy notices and data mapping.

Chinese SCCs and Regulations published

China has published standard contractual clauses and SCC Regulations which will take effect on 1 June 2023.  Businesses will be able to use SCCs in order to transfer personal data where:

• the exporter is not a critical information infrastructure operator (as defined)
• the data exporter is not processing personal data of over 1million data subjects
• the data exporter has not made aggregated transfers of personal data of more than 100,000 data subjects since 1 January of the preceding year, and
• the data exporter has not made aggregated transfers of  sensitive personal data exceeding 10,000 data subjects since 1 January of the preceding year.

The SCC Regulations prohibit breaking down the data volume to circumvent the CAD security assessment which is required under the Measures on Security Assessment for Outward Data Transfer.

The SCCs are not modular – there is one template for all transfers.  Before carrying out a transfer, the exporter must carry out an impact assessment and prepare a report covering specified information and SCC agreements must be filed with the specified authorities.

News as at 23 February 2023

European Parliament LIBE Committee fails to back EU-US adequacy decision

The European Parliament's LIBE Committee has refused to back the draft EU-US adequacy decision, saying the Data Protection Framework does not provide EU citizens with a level of data protection equivalent to that in the EU.  The Committee urges the Commission to renegotiate, however, its opinion is not binding on the Commission as its part in the adoption process is limited to the right to scrutiny.   All eyes will now be on the much more important EDPB's opinion which is due in the next few weeks. 

ICO guidance to games developers on compliance with the Children's Code

The ICO has published top tips for games designers on how to comply with the Children's Code.  These include:

• Conduct risk assessments – the ICO says a defined process is helpful to identify and minimise data protection risks to children in games.  This should include consulting with external stakeholders including children, and possibly completing a Children's Rights Impact Assessment; assessing and documenting the game's appeal to children at the design stage and with legacy products to inform whether and what age verification measures are needed or whether elements need to be tailored to children; regularly reviewing assessments after a game goes live and adjusting if necessary eg if unexpected age groups are playing; and ensuring randomised rewards are assessed against the Children's Code and the government's response to its consultation on loot boxes.

• Know your players' ages – assess and document how you will identify players under 18 and work out their actual ages with an appropriate level of certainty; investigate potential age assurance solutions to be implemented across all products as quickly as possible once identified; and implement measures to discourage or prevent players giving fake ages.

• Be transparent – this could be done by eg running user research trials on child friendly privacy information with different age groups; or designing age-appropriate different ways to communicate privacy information according to age group.

• Prevent detrimental use of children's data – ensure all optional uses of personal data are off by default and only activated after valid consent from the player (or parent/guardian where the player is under 13); introduce checkpoints or natural breaks in game play into game design, together with messaging to encourage players to take breaks; and implement measures to control or monitor product placement, advertising or sponsorship arrangements within community servers where children can access them from within the game.

• Set high privacy settings and parental controls – this could be by providing parents with real time alerts about their children's activities both in-game and in terms of their privacy settings; ensure players are given age-appropriate explanations if they try and change their settings; assess whether it is possible to introduce variable settings to allow children to control what personal data is visible to others; have high privacy settings by default including by having voice chat settings off by default, providing a 'do not disturb' permanent and session setting, allowing settings for friend requests to include 'no one'; and introduce a setting to allow only other children to communicate, as well as other options for age assurance to help identify adults trying to communicate with children in the chat function.

• Use profiling responsibly – children must be given control over both whether and how their personal data is used, especially where profiling is not essential to game play.  This should include checking any third party advertising provider is displaying age-appropriate in-game content; providing age-appropriate information in-game at the point profiling takes place, encouraging children to ask a trusted adult and only activate profiling if they understand what it is; and separate the opt-in consent for marketing from the acceptance of ts and cs and the privacy policy when players create a new account – profiling for marketing purposes should be off by default for children.

• Do not use nudge techniques to lead children to make poor privacy decisions – assess and document the risk of introducing time-limited or one time only offers on items targeted at children; implement positive nudge techniques to promote the best interests of the children; review how competitions and partnerships are communicated, including by being mindful of encouraging children to create media accounts in order to take part in competitions; monitor player behaviour and click-throughs to identify any unintentional nudge points; and use a neutral purchase button design and support workflows to allow a decision not to proceed with a purchase.

Information Rights Tribunal ruling in Experian case

The Information Rights Tribunal has ruled on an appeal against the ICO's action to require credit reference agency Experian Limited to change its data protection practices.  The ICO issued an enforcement notice to Experian in October 2020, following a two year investigation into how the company and two other major credit reference agencies were using the personal information of adults for direct marketing purposes.

The Tribunal agreed with the ICO's findings that Experian had not processed the personal data of over five million individuals transparently, fairly or lawfully because it failed to notify them it was processing the data for direct marketing purposes.  The Tribunal did, however, disagree with the ICO's assessment that Experian's privacy notice was insufficiently transparent, that using credit reference data for direct marketing purposes was unfair, and that Experian failed to properly consider its lawful basis for that use.

The ICO has said it will consider the ruling and decide whether or not to appeal.

IAB Europe applies to Belgian Market Court for TCF protection

IAB Europe has asked the Belgian Market Court to grant it protection on an interim basis for its ongoing work on its Transparency and Consent Framework (TCF).  IAB agreed a corrective measures plan with the Belgian DPA after it said that the TCF did not comply with the GDPR.  While the DPA said that the corrective measures would bring the TCF into GDPR compliance, aspects of the DPA's initial ruling are now being reviewed by the CJEU.  IAB is now asking the Belgian court to shield iterations of the TCF which are less directly impacted by the reference to the CJEU.

EDPB to publish ruling on Meta data transfers by 14 April

The EDPB's eagerly awaited ruling on the validity of data transfers by Meta and Instagram under Standard Contractual Clauses is set to be published by 14 April.  The Irish DPC, acting as lead supervisory authority, provisionally ruled that the transfers were unlawful.  If the EDPB backs this up before an EU-US adequacy is reached, Meta has said it may need to suspend its services in the EU.

Digital Advertising Alliances launch uniform approach to consent management and privacy choices

A coalition of "leading privacy self-regulatory organisations"  - regional Digital Advertising Alliances – has published tech specifications and user interface guidelines to help brands and publishers simplify and improve user choice experience.  The aim is to allow integration of the AdChoices option with consent management platforms. 

CMA updates timetable for investigation into use of advertising data by Meta

The CMA has said it will extend the period of its investigation into suspected breaches of the Competition Act 1998 by Meta to summer 2023.  The investigation relates to Facebook's collection and use of data in the context of providing online advertising services, and its single sign-on function, and whether this results in an unfair competitive advantage over its competitors.

Meta updates its ad targeting information

Meta has announced it is updating it's 'Why am I seeing this ad' information to cover information about machine learning, and will provide summarised information about how different actions on its platforms will influence machine learning models.

EDPS Opinion on draft passenger information Regulations

The EDPS has published an Opinion on two EC draft Regulations which deal with the collection and transfer of advance air passenger information (API) collected during the check-in process.  They are intended to replace Directive 2004/82.  The EDPS recommends:

• Processing of API should be limited to what is strictly necessary
• Harmonised criteria and a common methodology should be developed to help determine on what basis and from which intra-EU flights data should be collected.  This should align with the CJEU ruling on the PNR Directive (Case C-817/19).
• Envisaged security measures should be further strengthened by applying additional data protection safeguards, such as pseudonymisation or encryption where technically and operationally possible.

The EDPS supports harmonised practices in relation to the collection, sharing and retention of API.

Member States to ratify Second Additional Protocol to the Convention on Cybercrime

The Economic and Financial Affairs Council has adopted a Decision authorising EU Member States to ratify the Second Additional Protocol to the Convention on Cybercrime (the Budapest Convention) which provides common rules at international level to enhance cooperation on cybercrime and the collection of evidence in electronic form for criminal investigations or proceedings.  The UK has already signed the protocol along with 24 other countries.

News as at 16 February 2023

CJEU ruling on position of DPOs and interpretation of Article 38 GDPR

The CJEU has ruled in a reference from Germany on interpretation of Article 38 GDPR.  The questions referred related to the role of national legislation in determining when a DPO can be dismissed, and interpretation of the Article 38(6) reference to 'conflict of interests'.  It followed a claim for unfair dismissal after a German DPO who was also Chair of the Works Council was dismissed from the DPO role when the GDPR took effect on the basis that there was a conflict of interest. 

The CJEU held that:

• Article 38(3) GDPR must be interpreted as not precluding national legislation which provides that a controller or processor may dismiss a DPO who is a member of staff, solely where there is just cause, even if the dismissal is not related to the DPO's performance of their tasks, in so far as the national legislation does not undermine the GDPR.
• Article 38(6) should be interpreted as meaning that a 'conflict of interests' may exist where a DPO has other duties which would result in them determining the objectives and methods of processing on behalf of the relevant controller or processor (which is for national courts to determine).

UK government call for views on software resilience and security for businesses and organisations

The UK government has published a call for views on software resilience and security for businesses and organisations.  The UK is looking to strengthen resilience of digital products and services throughout the business supply chain. It wants to better understand the nature of software risks as a whole to UK organisations and where the government should focus on mitigating them. A wide range of software used by organisations and in business is covered including SaaS, open source embedded and firmware.  Input is sought across the digital supply chain including developers, cybersecurity experts, users and maintenance service providers.

Home Office consultation on review of the Computer Misuse Act 1990

The Home Office is consulting on proposals to update the Computer Misuse Act, following a 2021 announcement that it would be reviewed.  The consultation follows a call for information and is of particular interest to law enforcement agencies, domain name registrars and registries, and hosting providers.  The review of the Computer Misuse Act is being carried out to ensure the UK's legislative framework continues to support action against the harm caused by online cybercrime.  Views are sought on three proposals for legislation:

• A new power to allow law enforcement agencies to take control of domains and IP addresses where they are being used by criminals to support criminality.
• A power to allow a law enforcement agency to require the preservation (rather than access to) of computer data so it can determine whether that data would be needed in an investigation.
• A power to allow action to be taken against a person possessing or using data obtained by another person through a CMA offence, such as through accessing a computer system to obtain personal data, subject to appropriate safeguards.

The consultation closes on 6 April 2023. 

Garante bans US chatbot from processing Italian personal data

The Italian DPA, the Garante, has issued an order imposing provisional limitation of processing against US AI chatbot Replika.  The chatbot generates a 'virtual friend' which interacts with the user.  The Garante said that the Chatbot posed a particular risk to children and contained no age verification measures to protect them.  Replies served by the chatbot were often inappropriate and there is no valid lawful basis for processing.  Luka Inc. the company behind the product was ordered to cease processing Italian data immediately, inform the Garante within 20 days of measures taken to comply with the SA, or face a fine of up to €20m or 4% of annual global turnover.

Biometrics and Surveillance Camera Commissioner annual report

The Biometrics and Surveillance Camera Commissioner has published a joint Annual Report 2021-22 covering biometrics and surveillance technology.  In his introduction, he has warned that the current plan to replace the Surveillance Camera Code with the DPDI Bill effectively does away with current rules without providing a comprehensive replacement framework or suitable oversight.  He also expresses concerns about 'mission creep' of ANPR cameras, the use of drones capturing footage of public spaces, and the use by law enforcement of citizen phone camera footage. 

News as at 9 February 2023

European Commission to track large-scale cross-border investigations

The EC has announced it will oversee the progress of every large-scale GDPR enforcement case.  The Commission will require all national regulators to share an overview of large cross-border investigations every other month.  The Commission will take into account the steps the DPAs are taking and how long they take.  This move comes off the back of complaints made by the Irish Council for Civil Liberties following which, the EU Ombudsperson recommended the Commission monitor the progress of big tech cases under the Irish Data Protection Commissioner's jurisdiction.  However, the Commission has decided to apply the same regime to all EU regulators and for all largescale cross-border cases, although practically, this is most likely to impact the Irish DPC.

ICO updates change of approach to regulating communications service providers

On 20 January 2023, the ICO said it had decided to stop enforcing failures to file personal data breach reports under Regulation 5A of PECR which requires a communications service provider to notify the ICO within 24 hours of becoming aware of a data breach. The ICO's decision was based on the fact that the incidents tend to be caused by human error, involving one individual, are quickly resolved and result in risk remediation measures being swiftly implemented. Following feedback, the ICO has updated its statement which now says that it will use its discretion not to take enforcement action provided breaches are still reported within 72 hours.  The ICO will continue to take enforcement action in relation to the underlying breaches reported where warranted, and continues to expect breaches likely to adversely affect the personal data or privacy of subscribers or users to be reported within 24 hours.

ICO statement on FRT use in North Ayrshire schools

The ICO has published a statement confirming that the use of Facial Recognition Technology (FRT) by North Ayrshire Council in nine schools was likely to have infringed the UK GDPR.  The likely infringements included:

• failure to get valid consent to processing of personal data and for special data processing – while consent was the appropriate lawful basis, the Council had failed to meet the criteria for informed consent
• failure to comply with information requirements
• failure to limit data retention
• failure to complete a sufficiently comprehensive DPIA.

The ICO said FRT could be used lawfully in schools but in this case, it had most likely not been.  In line with its policy on enforcement against public bodies, the ICO made a series of recommendations to be applied by the Council, rather than imposing a financial penalty. 

DCMS guidance on certification under UK digital identity and trusts framework

DCMS has published a policy paper on how organisations can be certified under the UK digital identity and attributes trust framework (DIATF), together with consolidated guidance on the digital identity programme.  The framework, currently under development, will enable digital identities to be reused in a secure manner.  Organisations must be certified to participate and can already complete this process.

DHSC draft guidance on NHS England's obligations to protect patient data

DHSC has published draft statutory guidance pursuant to s274A of the Health and Social Care Act 2012.  The draft guidance sets out measures NHS England is required to take to protect the confidentiality of patient data as it has now taken over NHS Digital's statutory functions as of the end of January 2023.  NHS England is required to adopt the same statutory protections implemented by NHS Digital together with additional measures to further enhance confidentiality and data protection.

ENISA report on Engineering personal data sharing

The European Agency for Cybersecurity (ENISA) has published a report on Engineering personal data sharing.  The report looks more closely at specific use cases relating to personal data, primarily in the health sector. It discusses how specific technologies and considerations of implementation can support meeting specific data protection requirements, including through cryptographic techniques.  It also discusses data sharing in the health sector and using third party services, as well as considerations for giving effect to data subject rights.

News as at 2 February 2023

Meta US data transfer decision to go to EDPB under Article 65 GDPR

The Irish Data Protection Commissioner's draft decision on the lawfulness of Meta's data transfers from the EU to the USA, is to go through the Article 65 dispute resolution procedure after concerned supervisory authorities could not resolve disagreements.  The Irish Data Protection Commissioner had sent them a draft decision in July 2022, which, if approved, would require Meta to cease transferring personal data to the US under Standard Contractual Clauses.  Meta has warned this would result in it ceasing to offer services in the EU, however, alongside this dispute, the EU is working towards finalising a US adequacy decision in the Spring.

Compromise text for Data Act published

The Swedish Presidency of the Council of the European Union has published its compromise text for the Data Act, as reported by Politico.  Among the changes are provisions to ensure consistency with the GDPR, enhanced transparency obligations on cloud service providers around cross-border data transfers, and new provisions relating to governmental access to data.  Provisions to protect trade secrets have been bolstered, as have cloud service switching requirement measures.  The fairness requirement on data-sharing obligations has been broadened to apply to all contractual arrangements, regardless of the size of the contracting business. 

JD Sports reports cyberattack

JD Sports has said a cyberattack potentially accessed personal data and financial information of 10m customers.  The incident affected some online orders made by customers between November 2018 and October 2020 and targeted purchases of products of its JD, Size? Millets, Blacks, Scotts and Millets Sport brands.  The company has informed the ICO and will be contacting affected customers.  The information which may have been accessed included names, billing and delivery addresses, phone numbers, order details and the last four digits of payment cards.  In a press release, JD Sports said the affected data was "limited" as it did not hold full payment data and did not believe account passwords had been accessed.

News as at 26 January 2023

Irish DPC fines WhatsApp €5.5m following EDPB Article 65 decision

The Irish Data Protection Commissioner has fined WhatsApp Ireland €5.5m.  The decision follows on from the fines handed down to Instagram and Facebook earlier this year and relates to similar issues ie transparency, and the reliance on contractual necessity for processing operations and whether it was actually forced consent.  In its draft decision, the DPC found there were breaches of transparency obligations. 

It also found WhatsApp was not effectively relying on consent so the contention that it used 'forced consent' was not sustainable.  The DPC said that WhatsApp was not required to rely on consent.  None of the competent authorities disagreed with this part of the analysis and that element of the complaint was rejected.  The German SA (with whom the complaint was originally filed) is now responsible for adopting a separate decision for the parts of the complaint which have been rejected under Article 60(9) GDPR.

The DPC then went on to consider whether, in principle, the GDPR precluded WhatsApp Ireland's reliance on contractual necessity and decided it did not.  There were objections to this view from six competent supervisory authorities (CSAs) and the decision went through the Article 65 procedure under which the EDPB issued a binding decision.  The EDPB upheld the DPC's views on breach of transparency provisions, adding an additional breach.  It was in relation to this additional breach that the fine was imposed as the DPC had already imposed a €225m fine on WhatsApp Ireland for transparency breaches.

However, the DPC also found that WhatsApp Ireland is not entitled to rely on contractual necessity for the delivery of service and security (excluding IT security) for the WhatsApp service and that its processing of this data on the basis of contractual necessity to date is in breach of the Article 6(1) GDPR requirement to process personal data fairly and lawfully.

The DPC once again takes issue with the EDPB's direction to conduct a fresh investigation into WhatsApp Ireland's data processing operations to determine whether: it processes special category data; processes data for the purposes of behavioural advertising, marketing, data analytics, and the exchange of data with affiliated companies for the purpose of service improvements; and in order to determine whether it complies with the relevant obligations under the GDPR.  As with the EDPB's directions to conduct investigations into Instagram and Facebook, the DPC says the EDPB does not have the authority to make such a direction and it will appeal to the CJEU to have it set aside.

EDPB report from Cookie Banner Taskforce

The EDPB has adopted a report on work carried out by the Cookie Banner Taskforce which was established in September 201 to coordinate the response to complaints about cookie banners filed across the EEA by NOYB.  The taskforce was set up to share information and ensure a consistent approach to cookie banners in the EEA. 

The report sets out the opinion of the taskforce on whether various types of commonly used cookie banners breach the ePrivacy Directive cookie consent requirements:

• No reject button on first layer – the "vast majority" but not all the DPAs said that not including a 'reject all' button alongside an 'accept all' would breach consent requirements.  It is interesting that there was not complete consensus on this point as there have been some large fines on exactly that point, including, most particularly, from the French DPA, the CNIL.

• Pre-ticked accept options – the taskforce members agreed these breach consent requirements.

• Deceptive link design (either direct link to object, or link to second layer) – the members agreed there must be clear information about what the banner is about, on the purpose of consent being sought and how to consent.  In order for consent to be valid, the user has to able to understand what they are consenting to and how to consent, and for consent to be freely given, the user must not be given the impression that they need to consent in order to access the content behind the banner, nor pushed towards consent.  The taskforce members agree that valid consent is not achieved when the only alternative action offered aside from giving consent, is a link behind wording such as 'refuse' or 'continue without accepting' embedded in a paragraph of text in the cookie banner, in the absence of sufficient visual support to draw an average user's attention to this alternative action; or where the only alternative action offered to consent is a link behind wording such as 'refuse' or 'continue without accepting' placed outside the cookie banner where the buttons to accept cookies are presented, in the absence of sufficient visual support to draw the users' attention to this alternative action outside the frame.

• Deceptive button colours and contrast (which eg highlight the 'accept all' button over other choices)­ – these need to be assessed on a case by case basis to determine whether they are misleading.  This practice could be manifestly misleading for users where the contrast between the writing and the background of the button is so minimal that the text is unreadable.

• Legitimate interests claimed, list of purposes (possibility of accepting read/write operation at first level but no option to refuse, or second level makes no distinction between refusal to read/write operations and potential objection to further processing presented as falling within legitimate interest of the data controller) – where there is no valid consent to the cookies, any subsequent processing cannot be compliant with the GDPR.  The legal basis for the placement/reading of cookies pursuant to Article 5(3) of the ePrivacy Directive cannot be legitimate interests.

• Inaccurately classified 'essential' cookies – the taskforce recognised difficulties in assessing which cookies are essential despite the availability of supporting tools and regulator advice.

• No withdraw icon – the taskforce said controllers need to provide easily accessible solutions allowing users to withdraw consent to cookies at any time.  It gave the example of a small, hovering, permanently visible icon, or a link placed in a visible and standardised place.  The effectiveness of a solution would need to be assessed on a case by case basis as there is no mandated standard.

EDPB report on cloud-based services coordinated enforcement action

The EDPB has adopted a report on the findings of its first co-ordinated enforcement action which focused on the use of cloud-based services by the public sector.  22 DPAs across the EEA looked at 100 public bodies operating in a range of sectors.  The report sets out the findings, lists actions already taken by DPAs in the field of cloud computing, and makes a series of recommendations to help with GDPR compliance when using cloud services.

DCMS-commissioned report on global data localisation requirements

DCMS has published an independent report it commissioned on data localisation requirements.  It looks at the extent and impacts of potential data localisation measures and includes summary tables as well as 'deeper dives' on some jurisdictions.

ICO Tech Horizons Report

The ICO's first Tech Horizons Report looks at technologies emerging over the next two to five years and analyses their impact on society in the context of personal data.  The ICO says businesses must consider transparency, what control people have over their data, and how much data is gathered, in order to ensure services are data compliant and developed with consumer privacy at the forefront.  The report covers:

• consumer health tech
• next generation IoT
• immersive technology
• decentralised finance.

Relevant businesses are encouraged to be part of the ICO's sandbox scheme and to consider privacy at an early stage in order to maintain public trust and confidence.

US-UK Comprehensive Dialogue on Technology and Data

The UK and US governments published a summary of the first meeting of the US-UK Comprehensive Dialogue on Technology and Data.  Among the issues discussed were the finalisation and implementation of a data bridge for UK-US data flows, collaboration on facilitating global trusted data flows, and development of AI standards and tools.  The next formal meeting will be in January 2024 although quarterly progress reports will be published in the interim.

News as at 19 January

EDPB Article 65 decisions published as Irish DPC appeals aspects

The EDPB has published its Article 65 decisions on the Irish Data Protection Commissioner's investigations of Facebook and Instagram which led to significant fines last week.  The Irish DPC is appealing the element of the decisions which requires it to conduct an 'own volition' investigation into the data processing practices of Facebook and Instagram and, in particular, their use of special data.  The DPC claims the EDPB does not have the authority to do this and is asking the CJEU to annul that aspect of the EDPB's decisions.

In the meantime, the Guardian reported that Meta has said that Facebook and Instagram will restrict data available to advertisers which helps them target teens.  From February, advertisers will not be able to access a user's gender or posts they have engaged with for targeted advertising purposes.  They will only have access to the user's age and location.  Teens will also be given extended user controls which will allow them to opt to see less of certain types of advertising.

IAB Europe says Belgian DPA has approved revised TCF plans

IAB Europe says the Belgian Data Protection Authority (APD), has approved its plans to make changes to its Transparency and Consent Framework (an industry-led consent solution for adtech), to bring the TCF into GDPR compliance.  The APD found that elements of the TCF were unlawful in February 2022, and IAB Europe submitted its rectification plan in April last year. 

IAB Europe said the proposed measures were based on the assumptions that:

• the TC String (a digital signal containing user preferences) should be considered personal data, and
• IAB Europe acts as joint controller in respect of dissemination of TC Strings and other data processing done by TCF participants.

Both these assumptions have, however, been referred to the CJEU for a preliminary ruling.  While IAB Europe says it is pleased with the APD's approval, it also expresses concern that it has pre-empted responses by the CJEU to the reference on the issues.

CJEU decision on disclosure of identity of recipients of personal data

The CJEU has ruled on a reference from the Austrian Supreme Court in the Oesterreichische Post case relating to Article 15(1)(c) of the GDPR.  This provides a right for data subjects to get information from a controller on request, about the recipients or categories of recipients to whom their data has been or will be disclosed.  The referring court asked whether this meant that the controller had to disclose the specific identity of actual recipients.

The decision followed the Advocate General's Opinion and held that the controller is required to provide the data subject on request with the actual identity of recipients unless it is not possible to identify them in which case they may indicate the categories of potential recipient.  Where the request by the data subject is manifestly unfounded or excessive, the controller may also indicate categories rather than actual identities of recipient.  The CJEU said the right of access is necessary in order to enable the data subject to enforce other GDPR rights such as rectification and erasure.  Without identifying specific recipients, this would not be possible.

CJEU rules civil and administrative remedies under GDPR can run concurrently

The CJEU has ruled in a reference from Hungary, that remedies available to data subjects to enforce their rights through the courts under Articles 77 and 79 can be exercised concurrently.  Article 77 provides a right to administrative appeal of a Supervisory Authority's decision.  Article 79 allows for action before a civil court against a controller.  The referring court asked whether in the context of reviewing the lawfulness of an SA decision, it is bound by the final judgment of the civil courts concerning the same facts and the same alleged GDPR infringement.  The court was also concerned about a situation in which the decisions might conflict and asked whether one remedy should take priority over the other.

The CJEU held that actions can run in parallel and independently of each other.  There is no priority or exclusive area of competence or jurisdiction, nor is there a rule of precedence.  It is up to Member States to ensure that no conflict is created by procedural rules and that contradictory decisions in relation to the same processing of personal data do not exist within a single Member State.  See our article for more.

CNIL fines TikTok €5m for cookie consent failings

The CNIL continues its scrutiny of cookie consent practices and has fined TikTok Ireland and TikTok UK  €5m for breaches of the French Data Protection Act on the basis that:

• TikTok's consent mechanisms did not allow users to refuse cookies as easily as accepting them, and
• TikTok did not give users sufficiently precise information about the purposes of the different cookies.

The CNIL focused on the fact that while there was an 'accept all' button, there was no equivalent 'reject all' one but instead, several steps were required to reject cookies.

Digital Rights Ireland appeals Irish DPC's decision on Facebook data user leak

Digital Rights Ireland is appealing a decision by the Irish Data Protection Commissioner before the Irish Circuit Court.  The DPC investigated a complaint by Digital Rights Ireland on behalf of 100m Facebook users whose data was left publicly accessible.  The DPC agreed that Facebook had breached the GDPR by allowing the data to be scraped but found the breach did warrant notification to individual users by Facebook. Digital Rights Ireland contends the event did constitute a notifiable breach to individuals.

German competition regulator issues statement of objections against Google's data processing terms

The German competition regulatory, the Bundeskartellamt, has sent Alphabet Inc., Google Ireland and Google Germany, its preliminary assessment on Google's data processing terms.  It says it assumes that s19a of the German Competition Act (GWB) applies which means Google has to change its data processing terms and practices.  The Bundeskartellamt says users are not given sufficient choice as to whether and to what extent they agree to the processing of their data across the google ecosystem and that any choices offered are insufficiently transparent and too general.  The way the choices are presented also makes it easier for users to consent than to refuse. 

The Bundeskartellamt recognised that Google may face restrictions around combining personal data across its services under the Digital Markets Act and also that the GWB partially exceeds these future requirements.  It said it is in close contact with the European Commission about that.  A final decision is expected later this year.

News as at 12 January 2023

Irish DPC fines Meta €390m

The Irish Data Protection Commission has fined Meta Platforms Ireland Limited (formerly Facebook Ireland Limited) a total of €390m for breaches of the GDPR in relation to its Facebook and Instagram services following binding decisions by the EDPB under the Article 65 procedure.  The DPC also requires Meta to bring its data processing operations in line with the GDPR within three months.

The DPC began two inquiries into Facebook and Instagram in 2018, following two complaints made on 25 May 2018 when the GDPR came into effect, which raised essentially the same issues.  Ahead of the application of the GDPR, Meta had changed its terms of service for its Facebook and Instagram services.  Having previously relied on consent to the processing of user personal data for the delivery of its services (including for behavioural advertising), Meta changed the lawful basis for most (but not all) of its processing operations to the 'necessary for performance of a contract' basis (Article 61(b)).  Users were required to accept the new terms of service in order to continue access.

Meta's position was that when the user accepted the terms of service, they entered into a contract with Meta.  The relevant data processing operations were necessary in order to perform that contract and deliver Facebook and Instagram services (as the case may be), which included providing personalised services and behavioural advertising. 

The complainants argued that Meta was effectively relying on consent rather than the contractual necessity lawful basis because by making accessibility to its services conditional on accepting the updated terms of service, it was forcing users to consent to the processing of their personal data for personalised services and behavioural advertising in breach of the GDPR.

The Irish DPC, as Meta's lead EU regulator, reached provisional findings that:

• Meta had not clearly outlined to users what processing operations were being carried out with their personal data and for what purposes and by reference to which lawful basis.  This amounted to a breach of the transparency and information obligations under Articles 12 and 13(1)(c) of the GDPR.  It also amounted to a breach of the Article 5(1)(a) requirement that personal data be processed fairly, lawfully and in a transparent manner.  It proposed fining Meta in relation to these breaches.
• Where Meta did not rely on user consent as a lawful basis for processing, it could not be said to be forcing consent and, in principle, the GDPR did not preclude Meta from relying on the contractual necessity lawful basis, including in relation to personalised services and advertising.

The DPC's draft decisions were then referred to other concerned supervisory authorities (CSAs) under the cooperation and consistency mechanism of the GDPR.  In relation to the first finding about breach of transparency and information requirements, the CSAs agreed with the DPC's findings although argued the proposed fines were too low.  However, ten of the CSAs took the view that Meta should not be permitted to rely on the contractual necessity lawful basis on the grounds that the delivery of personalised advertising could not be said to be necessary to perform the core elements of what they said was a more limited contract.

The DPC argued that the provision of Facebook and Instagram services include and appear to be premised on the provision of a personalised service which includes personalised or behavioural advertising.  As such, this is central to the bargain struck between users and their chosen service provider and forms part of the contract concluded on acceptance of the terms of service.

As consensus could not be reached, the matter was referred to the European Data Protection Board under the Article 65 dispute resolution procedure.  The EDPB reached its conclusions on 5 December.  It upheld the DPC's position on transparency, added an additional breach of the fairness principle, and directed the DPC to increase the amount of the fines it was proposing to issue.

The EDPB also found that Meta was not entitled to rely on the contractual necessity lawful basis for the purpose of behavioural advertising. 

The Irish DPC is bound to follow the EDPB's determinations.  Accordingly, in its final decisions, it reflected the EDPB's findings and increased the fines imposed on Meta to €210m in respect of Facebook and €180m in respect of Instagram.  It now requires Meta to bring its processing operations into GDPR compliance within three months.

A Meta spokesperson has said Meta will appeal the substance of the decision, reportedly adding "We strongly disagree with the DPC's final decision and believe we fully comply with the GDPR by relying on contractual necessity for behavioural ads given the nature of our services".  Meta also published a blog defending and explaining its data protection practices in response to the decision.

The Irish DPC also noted that the EDPB had directed it to conduct a fresh investigation into Facebook and Instagram's processing operations and use of special data.  The DPC said it does not believe it is "open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation" and it will therefore bring an action for annulment of that element of the EDPB's decision before the CJEU.

While the EDPB's conclusion on the issue of contractual necessity was not altogether unexpected, it raises very real questions for Meta's business model in the EU and, more widely.  It suggests that for many controllers (for whom provision of personalised advertising is not core to their service from the data subject's perspective), legitimate interests or possibly consent are the only available lawful bases for such processing.  However, being able to rely on legitimate interests is subject to the outcome of a legitimate interests assessment which will vary on a case by case basis, and consent is problematic as it is difficult to meet GDPR standards in this context.  It now remains to be seen whether Meta will be successful in appealing aspects of the DPC's final decisions, and what, if any, changes it will make to its EU processing operations.

NIS2 Directive published in Official Journal

The NIS2 Directive was published in the Official Journal on 27 December 2022, entering into force 20 days later.  Member States must adopt implementing legislation by 17 October 2024, to apply from 18 October 2024.   The original NIS Directive (2018/97) is repealed with effect from 18 October 2023.  Regulation 910/2014 (eIDAS), and Directive 2018/1972 (establishing the Electronic Communications code) are amended from that date.  For more on the NIS2 Directive, see here.

CNIL fines Apple and Microsoft over cookie consent

At the end of December 2022, France's data protection authority, the CNIL, fined Apple €8m over failure to get consent from French users to tracking for the purposes of serving personalised ads.  It found that under iOS 14.6, when a user visited the App Store, identifiers used for several purposes, including personalisation of ads on the App Store, were automatically deposited without valid consent because consent was ticked by default and a number of steps were required for users to deactivate it.

The CNIL also fined Microsoft €60m for dropping third party cookies when users visited its search engine bing.com, without getting user consent or providing the ability for users to reject the cookies as easily as accepting them.  Two clicks were needed to reject whereas only one was needed to accept.  Microsoft was ordered to bring its practices into compliance within three months or face additional fines.  Since 29 March 2022, there has been a 'refuse all' option on bing.com.

News as at 5 January 2023

Adoption process for EU-US Data Privacy Framework begins

The European Commission published a draft adequacy decision for the EU-US Data Privacy Framework, following President Biden's Executive Order.  The decision could be adopted as early as March 2023 although it is thought July is more likely.  The draft decision is with the EDPB which must deliver an Opinion, following which it must be approved by a representative Committee of the Member States and then adopted by the Commission.  The European Parliament also has a right of scrutiny. 

US organisations will be able to join the Framework by committing to a series of privacy obligations.  The US commits to limiting the access to EU data by intelligence agencies to what is necessary and proportionate, and there is provision for an independent and impartial redress mechanism, including through a Data Protection Review Court. 

The safeguards provided under the adequacy decision will also be an indication of compliance with the Schrems II criteria for the purposes of other authorised transfer mechanisms. Read more.

UK South Korea Adequacy Regulation now in effect

The Data Protection (Adequacy) (Republic of Korea) Regulations 2022 are now in force.  They provide for frictionless transfers of personal data between the UK and South Korea without the need for a transfer impact assessment or the use of an additional transfer mechanism.  The Regulations also cover data transfers including personal data relating to credit information – data which is not covered by the EU's South Korea adequacy decision.

WhatsApp €225m fine upheld

In 2021, the Irish Data Protection Commission fined WhatsApp €225m for breaches of the GDPR. The fine related to breaches of transparency requirements, particularly relating to the sharing of WhatsApp data with its parent company Facebook. 

The Irish regulator, acting as Lead Supervisory Authority, had originally intended a lower fine of between €30-50m, however, its provisional decision was rejected by other regulators.  The EDPB subsequently issued a binding decision under the Article 65 procedure requiring the fine to be increased.  It also specified that WhatsApp be given a reduced time of three months to take required remedial actions in relation to its privacy practices.

WhatsApp asked the CJEU to annul the penalty and to allow it to recover costs but the fine was upheld in December.

UK government code of practice for app store operators and developers

On 9 December 2022, the Department for Digital, Culture, Media and Sport (DCMS) published a new voluntary code of practice for app store operators and app developers. The Code sets out minimum security and privacy requirements in the form of eight principles. Some of the principles within the Code are mandated through existing legislation, including data protection law and other principles will help stakeholders demonstrate steps towards adherence.

In summary the eight principles are as follows:

• Principle 1: ensure only apps that meet the code's security and privacy baseline requirements are allowed on the app store. 
• Principle 2: ensure apps adhere to baseline security and privacy requirements.
• Principle 3: implement a vulnerability disclosure process. 
• Principle 4: keep apps updated. 
• Principle 5: provide important security and privacy information to users in an accessible way.
• Principle 6: provide security and privacy guidance to developers. 
• Principle 7: feedback for developers. 
• Principle 8: ensure appropriate steps are taken when a personal data breach arises. 

There will be a nine-month period for app store operators and app developers to adhere to the Code and the Code will be reviewed and, if necessary, updated no later than every two years in light of technological developments.

The government will start to consider how any of the Code's requirements which are not already mandated in law could be legislated for.  It is also looking to identify recommendations for improving the security of apps available through non-mobile app stores intended for non-mobile devices such as games consoles and smart TVs.

Product Security and Telecommunications Infrastructure Act now in force

The Product Security and Telecommunications Infrastructure Act received Royal Assent on 6 December. Part I creates a new security regime for connectable products while Part II deals with telecoms infrastructure reforms.  Much of the substance of Part I is to be covered under secondary legislation.  The PSTIA provides a framework but little detail.  For more, see our article.

UK and DIFC data protection commitments

The UK and the Dubai International Financial Centre Authority have released a joint statement committing to increased facilitation of personal data flows.  The statement says the UK and DIFC have made considerable progress towards creating a "data bridge" to allow frictionless flows of personal data between them and will continue to work towards that goal.

CJEU judgement on right to be forgotten on grounds of inaccuracy

The CJEU has handed down a judgment on a reference form Germany regarding interpretation of Article 17 GDPR and the right to be forgotten.  The reference related to a case involving a request to delete links and thumbnails from search results on grounds of inaccuracy. 

The CJEU commented on the Article 17(3) exemption where the processing of the data in question is necessary for exercising the right of freedom of expression and information.  This requires a balancing exercise in accordance with proportionality principles.  Generally, the starting point is that the data subject's rights will override the legitimate interest of internet users in accessing the information, however, this must be assessed on a case by case basis and in context.

The court also discussed what constituted inaccuracy for the purpose of giving effect to a right to be forgotten request.  The court held that a search engine operator (SEO) must de-reference where the requestor proves that more than a part of minor importance is manifestly inaccurate.  The requestor is only required to show evidence they can reasonably be expected to find and the SEO is not required to play an active role in trying to find facts which are not substantiated by the request.  If the inaccuracy of the relevant information is not obvious in light of the evidence produced by the requestor, the SEO is not obliged to de-list.  However, in such cases, the requestor must have the option to refer the matter to a supervisory or judicial authority and the SEO must warn internet users that proceedings contesting the accuracy of the information are in progress.

In relation to thumbnails published without the accompanying article, a separate balancing exercise is required and the informative value of the photos should be considered without taking into account the context of their publication.  However, text information directly accompanying the photo should be considered.

CNIL rapporteur recommends fining Apple €6m

The Rapporteur to the CNIL has recommended it fine Apple €6m for failing to adequately warn users they were being tracked by its own apps.  The Rapporteur, and the complainant, France Digitale, say that Apple did not apply the same standards of prior consent to its own app tracking transparency feature as for its advertisers.

Uber data breach

Following a high profile data breach in September 2022, in December, Uber said it had suffered a new data breach after a threat actor leaked employee email addresses, corporate reports and IT asset information stolen from a third-party vendor.

Meta to pay $725m to settle US class action re Cambridge Analytica

Meta has agreed to pay $725m to settle the US class action relating to the Cambridge Analytica data breach.  This is the largest settlement in a US data privacy class action to date.  Meta has not admitted wrongdoing and says it has overhauled its privacy practices since the time of the breach.  It is unclear how plaintiffs will claim their share of the settlement which is likely to amount to not more than a few dollars per individual.  A further hearing on the settlement is set to take place in early March.  A multi-billion pound class action relating to the same issues has also been filed with the Competition Appeal Tribunal in the UK.

AG Opinion on right of access

In a reference from Finland, AG Campos Sanchez-Bordona has delivered an Opinion relating to the right of access under Article 15(1) GDPR.  An individual (JM), was seeking information about the identity and positions of people who had accessed JM's personal data at the Bank at which JM was both an employee and a customer.  The Bank, as controller, refused to provide the information arguing that the Article 15(1) right does not apply to log data of the Bank's data processing system which recorded which employees had access to the customer data and at what times.

The AG opined that:

• The employees acting on the controller's instructions could not be regarded as recipients of the personal data within the meaning of Article 15(1)
• Article 15(1), read with Article 4(1) of the GDPR, does not give the data subject the right to know the identity of the employee(s) who accessed their personal data under the authority and/or instructions of the relevant data controller.

 

Epic Games settles with FTC for $520m

Epic Games, the maker of Fortnite, has agreed with the US Federal Trade Commission, that it will pay $520m to settle claims relating to alleged privacy violations and unwanted charges.

Epic will pay $275m for violating COPPA (the Children's Online Privacy Protection Act). The FTC alleged Epic had violated COPPA by collecting children's personal data without parental consent and making it difficult for parents to request deletion of their children's data.  In addition, the FTC alleged Epic's practices of turning on text and voice communications by default harmed children and teens.  Epic will also be required to adopt strong privacy by default settings for children and teens, and ensure voice and text communications are turned off by default. 

A further $245m will be paid to refund customers for the use of dark patterns and deceptive interfaces, including for billing.  The complaint against Epic alleged that Epic used dark patterns to trick users into making purchases, charged account holders without authorisation, and blocked access to purchased content when users questioned unauthorised charges.

EDPB Article 65 Meta decisions

The EDPB adopted dispute resolution decisions on the basis of Article 65 in respect of the Irish Data Protection Commissioner's decisions regarding Meta platforms Facebook, Instagram and WhatsApp.  The decisions were made following complaint-based inquiries and focused on the lawfulness and transparency of processing for behavioural advertising.  The WhatsApp decision looked at the lawfulness of processing for the purpose of improvement of services.  The decisions had not been published at the time of writing pending notification of the controller by the Irish DPA who has one month to adopt final decisions following notification by the EDPB.  Reports suggest Meta could face a fine of as much as €2bn.  Meta says it is too early to speculate and it continues to engage with the Irish DPA.

News as at 8 December 2022

UK government plans to update NIS Regulations

The government has published its response to its call for views on proposals to update the NIS Regulations which implement the EU NIS Directive.  The government now proposes:

• to bring managed services providers within the scope of the Regulations under a widened definition of relevant service providers
• to introduce a two-tier supervisory approach through non-legislative means with the ICO adopting a risk-based approach through new guidance
• widening the range of notifiable incidents to those that disrupt service or which could have a high risk or impact to the service, even if they don't immediately cause disruption.

The UK's reforms will be less wide-ranging than those under the EU's NIS2 Directive and follow a more risk-based, flexible approach.  This means the regimes will diverge and in-scope organisations which operate in both the UK and the EU will have to comply with both regimes.  The new Regulations will be tabled when Parliamentary time allows.

EU Council agrees compromise text on AI Act

The Council of the European Union has adopted its common position on the draft AI Act. Changes from the originally proposed text include:

• a narrower definition of AI systems to cover systems developed through machine learning approaches and logic, and knowledge-based approaches
• private sector use of AI for social scoring is prohibited as are AI systems which exploit the vulnerabilities, not only for a specific group of persons, but also persons who are vulnerable due to their social or economic situation
• clarification of when real-time biometric identification systems can be used by law enforcement
• clarification of the requirements for high-risk AI systems and the allocation of responsibility in the supply chain
• new provisions relating to general purpose of AI and where that is integrated into another high-risk system
• clarification of exclusions applying to national security, defence and the military as well as where AI systems are used for the sole purpose of research and development or for non-professional purposes
• simplification of the compliance framework
• more proportionate penalties for non-compliance for start-ups and SMEs
• increased emphasis on transparency, including a requirement to inform people exposed to emotion recognition systems
• measures to support innovation.

The European Parliament is expected to agree its negotiating position on the AI Act in Q2 of 2023, at which point trilogues will begin.

EDPB Article 65 Meta decisions

The EDPB has adopted dispute resolution decisions on the basis of Article 65 in respect of the Irish Data Protection Commissioner's decisions regarding Meta platforms Facebook, Instagram and WhatsApp.  The decisions were made following complaint-based inquiries and focused on the lawfulness and transparency of processing for behavioural advertising.  The WhatsApp decision looked at the lawfulness of processing for the purpose of improvement of services.  The decisions had not been published at the time of writing pending notification of the controller by the Irish DPA who has one month to adopt final decisions following notification by the EDPB.  Reports suggest Meta could face a fine of as much as €2 billion.  Meta says it is too early to speculate and it continues to engage with the Irish DPA.

Irish Data Protection Commissioner investigates Twitter data breach

The Irish DPC is reportedly looking into the data breach Twitter reported in August.  The incident saw user emails and phone numbers published online after records were scraped from the Twitter system.  An estimated 5.4 million accounts were affected although Twitter has not confirmed this number.  The Irish regulator has written to Twitter asking for more information about the breach.

Meta announces new privacy protections for young people

Meta has announced updated privacy practices to protect young people on Facebook and Meta.  These include privacy by default settings for new accounts, tools to limit unwanted interactions with adults and tools to limit the spread of teen intimate images online.  These settings will be automatically provided to new Facebook users under 16 (or 18) depending on the country, and teens already on the platforms will be pointed towards higher privacy settings.

TikTok CEO says US data to be hosted in the USA

Speaking at a conference, TikTok CEO Shou Chew said 'Project Texas' will see data moved from Virginia and Singapore to a new Oracle cloud solution which only US residents will have access to.  He added that no foreign government has asked the company for user data and said the response would be to refuse access. The comments were made in response to questions about the influence of the Chinese government on TikTok's owner Bytedance.

Electronic Communications (Security Measures) Regulations 2022 and Telecommunications Security Code in force

The Electronic Communications (Security Measures) Regulations 2022 and the Telecommunications Security Code are now in force.  They were made under the Telecommunications (Security) Act 2021 which strengthens the security framework for technology used in 5G and full fibre networks to protect UK telecoms networks from hostile cyber activity.

New ICO guidance and materials on direct marketing

The ICO has published new guidance and resources on direct marketing to assist organisations and businesses to conduct lawful direct marketing activities.  The guidance covers essential issues to consider to achieve UK GDPR and PECR compliance, as well as ways to select the most suitable direct marketing product.

Accompanying resources include:

• Step by step direct marketing guidance
• A guide to PECR and training resources
• Sector-specific guidance including for SMEs, B2B marketing and data broker services
• Guidance on selecting lawful basis
• A direct marketing checklist, FAQs and summary tables
• Training resources.

News as at 1 December 2022

UK finalises South Korea adequacy decision

The UK has concluded an adequacy decision in favour of South Korea which is expected to take effect on 19 December.  The decision will allow the freeflow of personal data between the UK and South Korea without a need for additional transfer mechanisms.  This is the first adequacy decision the UK has concluded independently of the EU.  The EU already has a South Korea adequacy decision but the government is keen to stress that the UK's decision is broader than the EU's, notably because UK organisations will be able to share personal data related to credit information to help identify customers and verify payments.

Irish DPC fines Meta €265 million

The Irish Data Protection Commissioner has announced it is fining Meta Platforms Ireland Limited €265 million and is imposing a range of corrective measures.  This concludes an inquiry started in April 2021, following reports of a Facebook dataset available on the internet between May 2018 and September 2019.  The main issue the DPC examined was compliance with the obligation for data protection by design and default which involved examining the implementation of technical and organisational measures to achieve this. The final decision, made in cooperation with other EU regulators, imposes a reprimand, and an order to bring processing into compliance by taking specified actions within a determined timeframe, in addition to the fine.

EC proposes Interoperable Europe Act

The European Commission has adopted a proposal for a Regulation to set out measures to create a high level of public sector interoperability across the Union (Interoperable Europe Act). The Act aims to promote the cross-border interoperability of network and information systems used to provide public services in the EU.

ICO and Ofcom statement on regulatory cooperation

The ICO and Ofcom have published a joint statement setting out how they will work together to ensure coherence between the data protection and new online safety regimes.  To achieve their mutual aims, the ICO and Ofcom will work together to achieve maximum alignment and consistency.  They will:

• Maximise coherence by ensuring policies are consistent, and consult closely when preparing codes and guidance.  They will particularly focus on achieving clarity where there are areas of tension between the two regimes.
• Promote compliance by setting clear expectations for industry on what they need to do to meet both online safety and data protection requirements.  There will be a particular focus on small and emerging firms.  Action will be taken against services that don't meet their obligations and the regulators will share information and intelligence as appropriate to help coordinate approaches to enforcement.

ICO speech on enforcement

The ICO set out a "new" approach to enforcement at a speech given at the National Association of Data Protection Officers annual conference.  The ICO highlighted that while fines were useful, they were not the only tool available to it when enforcing the data protection regime and quantum was not necessarily the most significant evidence of its enforcement activities.  In addition to highlighting the new approach to avoid punitive fines for public sector organisations, the ICO said that going forward, all 'reprimands' would be published on the ICO's website unless there is a good reason not to publish.  The ICO also said he would be promoting a predictable, consistent, transparent but flexible approach to enforcement.  Sandboxes and advice services for innovators will assist with this.

NIS2 and DORA adopted by the Council of the European Union

The Council of the European Union has adopted the NIS2 Directive. This updates the current NIS Directive on security of network and information systems. The intention is to widen the scope of the rules and harmonise requirements across the EU. NIS2 is also aligned with sector-specific legislation, in particular the Digital Operational Resilience Act for the financial sector (DORA) which has also now been adopted by the Council. Both pieces of legislation will be published in the Official Journal shortly. Member States will have 21 months to introduce legislation implementing NIS2. Read more.

NIS2 will not apply in the UK, however, the UK government confirmed on 30 November, that it would be updating the NIS Regulations 2018 (which implemented the NIS Directive) following a public consultation.

News as at 24 November 2022

ICO updates guidance on international data transfers

The UK's ICO has published updated guidance on international data transfers. This includes a new section on transfer risk assessments (TRAs), known as Transfer Impact Assessments or TIAs in the EU, as well as a new TRA tool.  These are required when using Article 46 transfer mechanisms, as a result of the CJEU judgment in Schrems II.

The ICO stresses that its guidance provides an alternative to the EDPB's guidance on supplementary measures for international transfers.  The ICO's own approach to TRAs is different but it says that it is "happy for organisations exporting data from the UK to carry out an assessment" that meets either the UK or the EU approach, which it summarises as follows:

• Option 1, UK approach in TRA tool – the assessment compares the position of the data subjects in the specific circumstances of the transfer in terms of whether there would be any increase in the risk to the individual if the transfer goes ahead, compared with the position were the data to remain in the UK.  The focus is on protection of human rights in the destination country, given that the recipient of the data is already obliged to comply with the data protection requirements under the relevant Article 46 transfer mechanism.  Enforceability of the Article 46 mechanism is also a factor.

• Option 2, EDPB approach – the assessment compares the laws and practices of the UK (including the UK GDPR) with those of the importing country in order to evaluate the risks outlined above.  This involves looking at the safeguards in place about third party access to the information, in particular by governments.  The safeguards do not need to be identical to those in the UK, but they must be sufficiently similar.

The ICO's new TRA tool is designed to help organisations assess the initial risk level of the relevant categories of data by asking a series of six questions, each of which is accompanied by supporting documentation tables guiding what to consider.  The questions are:

• What are the specific circumstances of the restricted transfer?
• What is the level of risk to the people in the personal information you are transferring?
• What is a reasonable and proportionate level of investigation, given the risk level in the personal information and the nature of your organisation?
• Is the transfer significantly increasing the risk for people of a human rights breach in the destination country?
• Are you satisfied that both you and the people the information is about will be able to enforce the Article 46 mechanism against the importer in the UK; and if enforcement action is needed outside UK, are you satisfied that you and the people the information is about will be able to enforce the Article 46 transfer mechanism in the destination country or elsewhere?
• Do any of the exceptions to the restricted transfer rules apply to the significant risk data you have identified?

The ICO's option 1 approach does put a different emphasis on this exercise to the EDPB's and it should be easier for businesses to complete (despites the length of the TRA tool), however, it could create tension with the EU in relation to onward data transfers and the level of protection afforded to EU data which is ultimately exported to third countries from the UK. For this reason, cross-border businesses may prefer to stick with the EDPB's approach.

EDPS Opinion on the draft Cyber Resilience Act

The European Data Protection Supervisor has published an Opinion on the EU's draft Cyber Resilience Act, which covers harmonised security requirements for IoT and other products with digital elements.  The EDPS broadly welcomes the initiative while emphasising that the GDPR already contains cybersecurity requirements.  He urges the Commission to include data protection by design and default as an essential element, in addition to security and data minimisation.  As is often the way when commenting on proposed data-related legislation, the EDPS also stresses the need for any incoming legislation to work with the GDPR.

Meta seeks to reverse Instagram fine

Meta is reportedly seeking to overturn the €405 million Euro fine imposed on it by the Irish Data Protection Commissioner in September.  The fine related to historic practices which resulted in default publication of children's personal data on the Instagram platform.  Meta said it would appeal the fine and is now reportedly seeking a number of High Court declarations including one that parts of the Irish Data Protection Act 2018 are invalid under the Irish constitution, and are incompatible with the European Convention on Human Rights.  In addition, Meta intends to apply to the CJEU to annul an EDPB instruction to the Irish Courts on the level of the fine imposed.

EDPB adopts recommendations on applying for controller BCRs

The European Data Protection Board has adopted draft recommendations on applying for controller Binding Corporate Rules to underpin data transfers to third countries.  The recommendations will update the current guidance and bring it in line with the Schrems II requirements, replacing the current Article 29 Working Party Recommendations.  They also update the application form and set out what must be included on the form and with the application.  The draft is open to comments until 10 January 2023. The EDPB is also working on guidelines for processor BCRs.

India publishes draft Digital Personal Data Protection Act

India has published a draft Digital Personal Data Protection Bill to update its data protection regime.  A previous attempt to pass a new data protection act ended in failure.  The Bill provides for protection of individual rights.  It appears to have stepped back from data localisation requirements, allowing for cross-border transfers with notified countries and territories. It also provides for a Data Protection Board to oversee compliance and impose penalties up to a maximum of INR 5 billion.

High Court grants permanent injunction on material harvested in ransomware attack

The High Court has granted summary judgment in respect of a permanent injunction in a breach of confidence claim arising out of a ransomware attack.  It also preserved the anonymity of the Claimant.  The Claimant had previously got a without notice interim injunction restraining the unknown Defendants from using or distributing the Claimant's confidential information which was harvested in a ransomware attack.  The Claimant then commenced proceedings for breach of confidence and the Court continued the injunction on expanded terms.  The Court granted summary judgment because the large amount of data stolen fell into categories requiring extra protection (including security sensitive information), and because the information was obtained by hacking.

The Claimant's anonymity was preserved largely due to the nature of their work and the fact that much of it is covered by the Official Secrets Act. 

News as at 17 November 2022

European Parliament approves NIS2 Directive

The European Parliament has approved the NIS2 Directive.  The legislation will now be approved by the Council of Europe before publication in the Official Journal.  This is expected to happen by the end of 2022.  Member States will then have 21 months to implement the Directive.  NIS2 updates the NIS Directive and deals with cybersecurity of operators of essential services and digital services providers.  For more information on NIS2, see our Global Data Hub article by Paul Voigt and Clare Reynolds.

ICO reprimands DfE for allowing access to children's data for gambling age verification

The ICO has issued a reprimand to the Department for Education for allowing a database of 28 million pupils' learning records to be used by Trust Systems Software UK Ltd (trading as Trustopia), for online gambling age verification purposes.  Only the fact that the ICO is trying to reduce the impact of public sector fines on the public, prevented it issuing a £10 million fine.

The DfE had continued to give access to Trustopia when it advised the DfE that it was a new trading name for training provider Edududes Ltd.  Due to a failure to carry out due diligence, the DfE was unaware that Trustopia was a screening company which used the DfE database to help online gambling companies with age verification.  While Edududes had not accessed the database for training purposes, Trustopia accessed the records of 22,000 learners over a period of 16 months.

The ICO said the DfE had failed in its obligations to use and share children's data fairly, lawfully and transparently.  It also failed to prevent unauthorised access to the data, have proper oversight of the data, or stop the data being used for reasons not compatible with the provision of educational services, and for purposes different to those for which it was originally processed.  The DfE only became aware of the breach following a newspaper report.

The ICO acknowledged that the DfE had taken steps to review access to the database and strengthen registration processes which had resulted in 2,600 organisations having their access removed.  Regulatory action against Trustopia was not available as the company has been dissolved.

ICO consults on how to prioritise public sector FOI complaints

The ICO is consulting on how to prioritise complaints relating to the response of public authorities to FOI requests.  It is proposing to prioritise complaints where there is a clear public interest in the information that has been asked for including by applying the following tests:

• Is there a high public interest in the information requested? Does it raise a novel or clearly high-profile issue that requires quick attention?
• Is the requester a person or group who is raising information rights awareness, supporting vulnerable groups or raising awareness of potentially significant public interest issues?
• Are vulnerable groups or people potentially significantly affected by the requested information?
• Would prioritisation have significant operational benefits or support those regulated?

Responses are required by 19 December 2022.

Largest ever US privacy settlement

Google has settled for a total of $391.5 million with 40 US states over allegations that it continued to collect user location data after they had opted out of tracking.  As part of the settlement, Google also agreed to make its location tracking practices more transparent to users, including by showing them more information when they turn settings off and on, and setting out information about the data it collects on a web page.  This the largest privacy settlement in US history, although the issues were dealt with under consumer protection law.

Apple is facing a class action lawsuit filed in California, for allegedly using analytics on some of its apps regardless of whether or not users had turned them off in their settings.

News as at 10 November 2022

What's happening with the UK's Data Protection Bill?

As we know, the UK's Data Protection and Digital Information Bill was paused just before its second reading in the House of Commons, to allow incoming Ministers under the ill-fated Liz Truss government to consider it.  DCMS Secretary of State Michelle Donelan, then hinted that the Bill might be changed during a speech at the Tory Party conference.  Since then, things have gone quiet.  

Speaking at a Westminster Forum event on 31 October, Owen Rowland, deputy director for domestic data protection policy at the DCMS said there would be further consultation on the Bill before it progresses to allow ministers to complete final checks.  He also suggested this could delay the Bill somewhat.  However, he underlined that any organisation which needs to comply with GDPR, would also find itself compliant with UK data protection law under the new regime.  

It is unclear whether this means there will be changes to the Bill, although Rowland was also keen to stress that there would be nothing in the Bill to threaten the EU-UK adequacy agreement.  A DCMS spokesman said there would not be another public consultation and the timeline of the Bill would not be affected.

44th Global Privacy Assembly – facial recognition principles agreed

At the 44th Global Privacy Assembly, data protection regulators from 120 countries reportedly agreed a resolution on a framework for using personal data based on six core principles.  The resolution says the use of facial recognition requires a clear legal basis.  The deploying organisation must be able to establish reasonableness, necessity and proportionality as well as transparency.  Human rights assessments should be carried out, data protection principles respected, and there must be effective accountability.

Governments to work together and separately to tackle ransomware

The UK's Parliamentary Joint Committee on the National Security Strategy has launched a call for evidence on ransomware.  It is seeing views on the nature and extent of ransomware threats, how they are deployed and how they are likely to develop.  Information is also sought on the level of vulnerability and preparedness of organisations, and as to whether government response and those of other stakeholders like the ICO, are appropriate or reforms are needed.  Responses are required by 16 December.

The call for evidence also looks at the issue of international cooperation which was a focus of the recent second International Counter Ransomware Initiative Summit.  36 countries including the UK and US as well as the EU committed to developing coordinated guidelines on preventing and responding to ransomware attacks.  There are plans to establish an International Counter Ransomware Taskforce to share knowledge and resources, and to coordinate on enforcement in line with national law and policy.

CJEU ruling on inclusion and withdrawal of contact details in directories

The CJEU has handed down a ruling relating to the required response when a subscriber asks for their personal data to be removed from an online public telephone or directory enquiry directory.  The decision followed the Advocate General's Opinion, holding that subscriber consent is required to include the details.  

Consent must be to GDPR standards but in order to be valid, the subscriber does not, at the point of consent, need to be aware of the identify of all the directory providers which will process their data.  Subscribers must have the opportunity to withdraw consent at which point a controller must take appropriate technical and organisational measures to inform third-party controllers ie the telecoms operator and other relevant directory providers.  Where a number of controllers rely on a single consent the data subject should be able to withdraw consent to any of them.  In addition, the controller must then take reasonable steps to inform search engine providers of the erasure request.

Ofcom proposes lowering incident reporting thresholds for OESs

Ofcom is consulting on lowering the incident reporting thresholds in its NIS guidance to operators of essential services (OESs) in the digital infrastructure sector (which includes top-level domain name registries and various types of domain name service providers).  Incident reporting is required where the incident has a "significant impact" on the continuity of the relevant service.  What constitutes "significant" is set out in Ofcom guidance and these are the thresholds Ofcom is intending to change.  The consultation closes on 13 January.

News as at 3 November 2022

EDPB consults on updated guidelines on identifying a lead supervisory authority

The EDPB is consulting on draft updates (marked in yellow) to its Guidelines on identifying a controller or processor's lead supervisory authority.  The update deals with paragraphs 29-34 and Annex 2d(i) and (ii).  The changes largely clarify the issue of what happens in a joint controller situation, explaining that:

• It is for the joint controllers to identify their compliance obligations in a transparent manner, including the organisation of contact with data subjects and SAs.
• SAs are not bound by the decision of the joint controllers as to which is responsible for liaising with them.
• The notion of main establishment is linked to a single controller and cannot be extended to a joint controllership situation although each controller might have its own lead SA where it is sole controller. The joint controllers cannot designate a common main establishment for both of them.

The consultation ends on 2 December 2022.

ICO guidance on direct marketing using email and live calls

The ICO has published guidance on PECR in relation to direct marketing using email and live calls. The guidance summarises the applicable rules respectively for each medium, and looks at the relationship between PECR and data protection rules.  The two new elements supplement the existing Guide to PECR.

ICO concerns over emotion analysis technologies

The ICO has published a blog warning organisations to assess the public risks of using emotion analysis technologies before implementing them.  Emotion analysis relies on collecting, storing and processing a range of behavioural data including special category data which the ICO sees as far more risky than traditional biometric technologies used to verify identity.  The ICO says that "algorithms which are not sufficiently developed to detect emotional cues risk creating systemic bias, inaccuracy and even discrimination".  The ICO will publish guidance on using biometric technologies in Spring 2023.

ICO publishes draft guidance on information about workers' health

The ICO has published draft guidance for consultation on information about workers' health, alongside a blog.  This is the second part of the ICO's draft guidance on employment practices.  The guidance covers lawful basis for processing worker health information, security, how to handle sickness and injury records, dealing with occupational health schemes, rules on medical examinations and testing including genetic testing, and the use of health monitoring technologies, as well as issues around sharing worker health information.

CNIL fines Clearview AI €20 million

The French data protection regulator, the CNIL, has fined Clearview AI €20 million in relation to its facial recognition database.  This is the latest in a string of fines, including from the UK's ICO, which have been imposed on Clearview AI for breaches of the GDPR when compiling its facial recognition database which scraped images from the internet.  The CNIL ordered Clearview AI to stop its unlawful processing activities and delete unlawfully processed data.

OECD cross-border data flow report

The OECD has published a report on global policies and initiatives around data flows with the aim of promoting a common understanding and dialogue between the G7 countries and beyond.  The report looks at key policies and initiatives on cross-border data flows to inform and support G7 countries' engagement with the policy agenda.

Australia proposes increase in data breach fines

A Bill has been introduced to Parliament in Australia which proposes significant increases to maximum fines for data breaches.  The current maximum is AU$2.22 million.  The proposal is to increase this to AU$50 million or penalties based on data monetisation and 30% of adjusted quarterly turnover.

AG ruling on retention of IP addresses to identify suspected copyright infringement

AG Szpunar has delivered an Opinion in the case La Quadrature du Net and others v Premier Ministere de la Culture. The AG says that Article 15(1) of the ePrivacy Directive read in light of the Charter of Fundamental Rights, does not preclude national legislation that allows for the general and indiscriminate retention of IP addresses for a period of time limited to what is strictly necessary for preventing, investigating, detecting and prosecuting online criminal offences, provided that this data is the only means of identifying the person to whom that address was assigned at the time of the commission of the infringement. This can be done without prior review by a court or independent body if, as in this case, the linking is at a given point in time and is limited to what is strictly necessary to achieve the objective.

ICO fines Interserve Group £4.4 million for employee privacy failings

The UK's ICO has fined construction company Interserve Group £4.4 million for failure to implement sufficient security measures to protect employees.  The ICO said the company had failed to put appropriate security measures in place to prevent a cyberattack which enabled hackers to access the personal data of 113,000 employees through a phishing email.  The compromised data included contact details, bank details and special category data.  The UK Information Commissioner John Edwards warned that "the biggest cyber risk businesses face is not from hackers but from complacency within their company".  He reminded businesses to regularly monitor for suspicious activity in their systems, act on warnings, update software and train staff.

News as at 20 October 2022

Digital Markets Act published in the Official Journal

The Digital Markets Act was published in the Official Journal on 12 October.  It introduces rules for platforms that act as gatekeepers in the digital sector, to prevent unfair practices and the imposition of unfair terms and conditions on business and end users.  It comes into force 20 days later and will, for the most part, start to apply six months after that on 2 May 2023.  Certain provisions around the Commission and its designation of Gatekeepers will apply from 1 November 2022.  Articles 42 and 43 apply from 25 June 2023.  Gatekeepers will have six months to comply with their obligations following their designation and six months following designation of each core platform service in relation to that service.  To find out more, including about provisions relating to data, see our content on Interface.

EDPB consults on revision to data breach notification guidelines for non-EU establishments

The EDPB is consulting on proposed changes to its guidelines on data breach notification.  It is proposing adding a clarification stating that the mere presence of an EU representative does not trigger the one-stop-shop mechanism for a controller not established in the EU.  It says for this reason, a notifiable breach will need to be notified to "every single authority for which affected data subjects reside in their Member State".   This suggests that, if the changes are adopted, controllers may end up notifying all EU DPAs just in case it later transpires there are affected data subjects in their jurisdictions.

European Commission Work Programme 2023

The European Commission has highlighted the following data-related priorities in its 2023 Work Programme:

• A common European mobility data space to boost the digitalisation of the mobility sector and encourage innovative solutions.
• A framework on open finance to improve data access in financial services.
• A European Health Data Space (the proposal for which was published earlier this year).
• A targeted initiative to develop cybersecurity skills through a dedicated Skills Academy.
• Proposals on harmonising some national procedural work of national data protection authorities to improve enforcement cooperation.

ICO draft guidance on monitoring in the workplace

The ICO has published its draft guidance on monitoring at work for consultation.  Following a call for evidence, the ICO plans to release topic-specific guidance on employment practices and data protection.  The monitoring guidance is the first in the series.  It aims to provide practical guidance about monitoring works in compliance with data protection legislation, and to promote good practice.  The ICO also intends to produce practical tools including checklists to sit alongside the guidance, and has produced an impact scoping document.

The draft guidance covers what constitutes lawful monitoring and now to identify a lawful basis.  It also looks at the application of other elements of data protection law (such as fairness, transparency, and accountability) and the processes involved, for example, policies and DPIAs.  It addresses covert monitoring, use of special and biometric data, in particular for time attendance and control monitoring, as well as use of automated processing in monitoring tools.

The consultation on the draft closes on 11 January 2023.

NCSC guidance on gaining confidence in supply chain cybersecurity

The National Cyber Security Centre has published new guidance to help organisations assess their suppliers' levels of cybersecurity.  The guidance sets out practical steps to help medium to large organisations gain assurance about the cybersecurity of their organisation's supply chain. It describes typical supplier relationships and the way organisations are exposed to vulnerabilities and cyberattacks via the supply chain, defines expected outcomes and key steps to approaching cybersecurity, answers common questions, and supplements the 2020 NCSC Supply Chain principles.

EDPB sets out harmonisation 'wish list' and other plenary developments

The EDPB has sent the European Commission a wish list of aspects in national procedural law it would like to be harmonised to facilitate GDPR enforcement.  These are issues which the EDPB has identified as potentially requiring legislative change. They include the status and rights of the parties to the administrative procedures, procedural deadlines, requirements for admissibility or dismissal of complaints, investigative powers of data protection authorities, and the practical implementation of the cooperation procedure.

The EDPB has also adopted an Opinion on the approval by the Board of the Europrivacy certification criteria submitted by the Luxembourg DPA.  This is the first European Data Protection Seal adopted pursuant to Article 42(5) GDPR.  Certification under the seal will be valid across the EU and allow for different controllers and processors to achieve and demonstrate the same level of compliance for similar processing operations regardless of the Member State in which they are located, or the location of their lead regulator.

Also at the plenary session, the EDPB adopted a statement on the digital euro, reiterating the importance of privacy by design and default to the project.

ICO responsible for the UK Trusted List

The ICO has confirmed it is now responsible for the UK Trusted List which sets out details of ICO-approved trust services under eIDAS. This sets out rules for UK services and establishes a legal framework for electronic documents, electronic registered delivery services, and certificate services for website authentication.

News as at 13 October 2022

President Biden signs Executive Order paving the way for new EU (and UK) – US adequacy agreement

President Biden last week signed an Executive Order on Enhancing Safeguards for United Signals Intelligence Activities (EO). The EO and related Department of Justice Rules published at the same time, seek to deal with the issues raised by the CJEU in the Schrems II decision that invalidated the EU-US Privacy Shield, and pave the way for a new EU-US Data Privacy Framework (previously known as the Trans-Atlantic Data Privacy Framework).  The EO is not EU-specific; its redress elements apply to any state designated by the US as a qualifying state and other elements apply regardless of the location or nationality of the data subject.  This is good news for the UK which (at least for now) is bound by the Schrems II decision and has equivalent rules on data exports under the UK GDPR, as those in the EU. On the same day the EO was published, the UK government published a US-UK Joint Statement on a New Comprehensive Dialogue on Technology and Data and Progress on Data Adequacy. The Statement announced "significant progress on UK-US data adequacy discussions".  It set out the government's aim of "working expediently" to issue a US-UK adequacy decision and achieving recognition under the EO as a qualifying state.

See more about what this means for future EEA/UK data transfers to the USA here.

Breach of GDPR does not automatically give rise to a claim for non-material damage, says AG

Advocate General Campos Sanchez-Bordona has delivered an Opinion in a reference from Austria on interpretation of Article 82(1) of the GDPR which sets out the right to compensation for breaches of the Regulation.  The questions referred to the CJEU covered:

• whether, in order to seek compensation for breach of the GDPR, it is necessary for the applicant to have suffered harm, or whether the mere fact there has been a breach is sufficient to give rise to a claim for compensation
• whether the assessment of compensation depends on further EU law requirements in addition to the principles of effectiveness and equivalence
• whether it is compatible with EU law to take the view that the award of compensation for non-material damage presupposes the existence of a consequence of the infringement of at least some weight which goes beyond the upset caused by that infringement.

The AG opined that the CJEU should hold Article 82 should be interpreted so that a mere infringement of the GDPR does not in itself give rise to a claim for compensation.  It must be accompanied by relevant material or non-material damage.  Compensation for non-material damage does not include mere upset felt as a result of the breach.  It will be up to Member State courts to determine where the dividing line between a feeling of displeasure and non-material damage lies on a case by case basis.

£1.48 million ICO fine for company profiling and targeting customers without consent

The ICO has fined Easylife Ltd £1.35 million for using customer purchase data to profile and predict their medical conditions, and then target them with health-related products without consent.  Easylife was also fined £130,000 for making unsolicited marketing calls.

The ICO found that Easylife profiled customers making purchases from its Health Club catalogue in order to target them with health-related items.  This meant the company was processing 'invisible' health data – people were unaware that their personal data was being used for that purpose.

Malicious apps target Facebook user login details

Facebook is reportedly notifying 1 million users that their login details may have been stolen by malicious apps on the apple and android platforms.  The apps purport to require login via Facebook but then pass the user details directly back to their creators.  Facebook says it has removed all the apps it identified.

Largest cryptocurrency exchange suffers major data breach

Binance, the world's largest cryptocurrency exchange, temporarily suspended transactions and exchange of funds after its network was hacked, causing it to lose anywhere between $110 million and half a billion dollars. The hackers exploited a vulnerability between two blockchains, which is becoming a common approach. Binance says it has secured its funds.

News as at 6 October 2022

Michelle Donelan 'announces' replacement of the GDPR

Addressing the Conservative Party Conference, recently appointed Secretary of State at DCMS, Michelle Donelan, 'announced' the government will be "replacing the GDPR with our own business and consumer-friendly, British data protection system". The wording (and use of "today") suggested this was a new announcement but, of course, the Data Protection and Digital information Bill was presented to Parliament at the end of Nadine Doris's tenure at DCMS.  The second reading of the Bill was then delayed so that "Ministers [could] consider this legislation". It is unclear from Donelan's speech whether she was referring to the already published Bill, or whether she now intends to revise it or present a different Bill.

White House OSTP publishes 'Blueprint for AI Bill of Rights'

The White House Office of Science and Technology Policy has published a 'Blueprint for an AI Bill of Rights'. This is intended to help guide the design, development and deployment of AI and other automated systems and protect the rights of individuals. It lays out five core protections to which it says everyone in America should be entitled:

• Safe and effective systems.
• Algorithmic discrimination protections (including in the areas of healthcare and employment).
• Data privacy.
• Notice and explanation (information rights).
• Alternative options (the ability to opt out and have access to a person to help address any issues).

In relation to data protection, the Blueprint says individuals should be protected from abusive data practices via built-in protections and should have agency over how data is used.  Design choices should ensure protections are included by default and that only strictly necessary data for the specific context is collected.  Consent should be sought about collection, use, access, transfer and deletion of data in appropriate ways and to the "greatest extent possible".  Consent should only be used to justify collection of data "in cases where it can be appropriately and meaningfully given".  Hard-to-understand consents and confusing user interfaces should be changed.  Enhanced protections for sensitive areas including health and youth data should be put in place.

US Data Access Agreement now in force

The Data Access Agreement between the USA and UK is now in force.  It sets out conditions for cross-border access to electronic data for the purposes of combatting serious crime, with safeguards and procedures to protect fundamental rights.

White House poised to publish Executive Order on EU-US data transfers

According to Politico the White House will shortly publish an Executive Order on transatlantic data transfers, intended to address EU concerns over the protection of EU data transferred to the USA.  It is thought that the Order will set out what is considered "necessary and proportionate" in terms of access to personal data by the US intelligence services, and that it will provide additional legal protections for individuals.

Publication of the Order will start a ratification process by the European Commission, expected to take up to six months.  On this timeline, we might see a replacement for the EU-US Privacy Shield in Spring 2023.

IAB Tech Lab launches Global Privacy Platform

IAB Tech Lab has announced that its Global Privacy Platform is ready for industry adoption.  The GPP is part of a portfolio of solutions developed by IAB Tech Lab to address privacy compliance issues in adtech across jurisdictions with differing regimes. The GPP enables user consent signals to be communicated through the digital ad supply chain and provides the protocol to help consolidate and manage these.  It currently supports the US Privacy and IAB Europe TCF consent strings and has plans to add US State-specific strings and one for Canada.  Users are advised to begin transitioning to GPP from TCF v2.0.

It is worth remembering that there are question marks over whether the IAB Europe Transparency and Consent Framework satisfies GDPR requirements after IAB Europe was fined by the Belgian DPA and ordered to propose remedial measures.

ICO evaluates impact of the Children's Code

Following the first anniversary of the implementation of the Children's Code, the ICO is consulting on its impact, gathering views from stakeholders and the public.  It is also gathering information from sources including market research, and considering its experience of supervising the Code over the last year.  Responses are required by 5pm on 11 November.

Irish DPC submits Article 60 draft decision on Meta inquiry

The Irish Data Protection Commissioner has submitted a draft decision following its inquiry into Meta Platforms Ireland Limited (Meta), to other concerned authorities under the Article 60 GDPR procedure.  The inquiry began in April 2021 following reports of a data breach that reportedly exposed a dataset on the internet relating to approximately 533 million Facebook users worldwide. It focused on Meta's compliance with data protection by design and default obligations under Article 25 GDPR.  

The concerned supervisory authorities now have a month to review the draft decision and raise any objections.

ICO 'reprimands' organisations for failures relating to SARs

The ICO has issued official reprimands to seven organisations relating to their handling of subject access requests.  Reprimands are one of the ICO's enforcement tools which can be used to warn organisations that their actions breach the UK GDPR, and to recommend steps to prevent ongoing non-compliance.  The non-compliance identified varied between organisations but broadly related to failure to have the proper processes and resources in place to enable timely response to SARs.  The organisations in question have been given between three to six months to show they have made improvements, or face further action. They are mostly public sector, however, Virgin Media Limited, received a reprimand calling for improved performance on processing complaints and general SAR compliance.  The ICO has published a blog on getting SARs right.

CJEU says no indiscriminate retention of traffic and location data subject to limited exceptions

The CJEU has ruled in joined cases that Article 15(1) of the ePrivacy Directive (as amended) read in the light of the Charter of Fundamental Rights of the European Union, precludes national legislative measures which authorise the general and indiscriminate retention of traffic and location data for the purposes of combating serious crime and preventing serious threats to public security.  It also reiterated that EU law does not preclude measures that enable the collection of such data where there is a serious threat to national security subject to specified checks and balances.  There is also no prohibition on:

• targeted and limited retention of traffic and location data
• general and indiscriminate retention of IP addresses assigned to the source of an internet connection for a limited time period and where strictly necessary
• general and indiscriminate retention of data relating to the civil identity of users of e-communications systems
• complying with properly drawn up instructions from a competent authority.

News as at 29 September 2022

News as at 22 September 2022

EC introduces draft Cyber Resilience Act

The European Commission has published a proposal for a new Cyber Resilience Act to protect consumers and businesses from products with inadequate security features.  It introduces mandatory cybersecurity requirements for products with digital elements throughout their lifecycle.  Manufacturers will be required to embed security by design and provide security support and software updates to address vulnerabilities.  There will be information requirements to inform consumers about the cybersecurity of products, and products will need to meet conformity assessments (subject to the type of product).

Products with digital elements are defined as: "any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately".  They are further sub-divided where they are considered as "critical products with digital elements" falling within listed categories and subject to conformity procedures.  There are also provisions relating to high-risk AI.

In particular, the proposed legislation introduces:

• rules for placing on the market of products with digital elements to ensure their cybersecurity
• essential requirements for the design, development and production of products with digital elements and obligations for economic operators in relation to them
• essential requirements for the vulnerability handling processes put in place by manufacturers to ensure the cybersecurity of products with digital elements during the whole lifecycle, and obligations for economic operators in relation to these processes.  Manufacturers will also have to report actively exploited vulnerabilities and incidents
• rules on market surveillance and enforcement.

Security obligations run through the supply chain, including for economic operators, manufacturers, importers and distributors.

The legislation is being introduced as part of the European Commission's Cybersecurity Strategy introduced in December 2020.  It will complement NIS2 and the EU Cybersecurity Act.

Compromise text on Data Act proposed by Czech Presidency of EU Council

The Czech Presidency of the EU Council has circulated a new partial compromise on the Data Act which covers cloud switching and interoperability among other issues.  According to Euractiv, some of the proposed changes include:

• allowing the possibility of an extension to the 30 day period for switching cloud service providers under limited circumstances
• requiring the migration on request not only of data but also meta data when switching cloud service providers and possibly with on-premise system switching
• smart contracts will not be mandatory for the automation and execution of data sharing agreements
• the EC will be mandated to develop standard contractual clauses for cloud computing contracts.

It remains to be seen what the reaction to these proposals will be.

Details of record Instagram fine published

The Irish Data Protection Commission, acting as Lead Supervisory Authority (LSA), has fined Meta Platforms Ireland Limited €405 million following an inquiry into Instagram's privacy practices.  The publication of the decision follows the EDPB's binding dispute resolution decision of 28 July 2022 under the Article 65 GDPR procedure.  This is the second largest fine handed down under the GDPR to date.

The Irish DPC investigated Instagram's public disclosure of email addresses and phone numbers of children using Instagram's business account feature, and public-by-default settings for children's personal Instagram accounts for a period (the practice has since ended).  

The EDPB's decision looked in detail at lawful processing, and at the lawful bases of performance of a contract and legitimate interests which were the lawful bases relied on by Instagram to process the children's personal data.  The EDPB found that there were no grounds for the LSA to conclude that public processing of the children's email addresses/phone numbers was necessary for the performance of a contract.  It also found that Instagram could not rely on legitimate interests as a lawful basis for publishing these details as the processing was either unnecessary, or if it was necessary, did not pass the legitimate interest balancing test.  As a result, the EDPB found that Meta IE had processed children's personal data without a lawful basis, and amended the amount of the fine accordingly.

Separately, South Korea's Personal Information Protection Commission has reportedly fined Meta around £19m around consent practices, with Google being fined around twice that amount for similar reasons.

Irish Data Protection Commissioner submits draft TikTok decision

The Irish Data Protection Commission has submitted a draft decision following its inquiry into TikTok Technology Limited, to other Concerned Supervisory Authorities.  The inquiry focuses on processing of children's personal data by TikTok, in particular, its public-by-default settings for under-18 accounts, and age verification measures for under-13s.  It also considers whether TikTok complied with GDPR transparency requirements.  The Concerned Supervisory Authorities now have one month to review the draft decision under the Article 60 procedure.

EDPB's second coordinated enforcement action to focus on DPOs

The EDPB has confirmed that its second coordinated enforcement action will concern the designation and position of the Data Protection Officer.  Over the next few months, the EDPB will specify further details, following which, national Data Protection Authorities will work at national level to gather information and produce targeted follow-up.

A report on the use of cloud-based services by the public sector, the subject of the first coordinated action, will be adopted by the end of this year.

Governor of California signs California Age Appropriate Design Code

The Governor of California has signed the California Age Appropriate Design Code into law.  Influenced by the ICO's AADC, the Bill will apply from 1 July 2024.  The CAADC sets out mandatory requirements and prohibitions on providers of online services likely to be accessed by children.  These include requirements to carry out DPIAs, to configure high privacy by default settings, to communicate clearly with children, and to provide tools to enable children and/or their parents or guardians to exercise their privacy rights.

News as at 15 September 2022

European Commission poised to introduce Cyber Resilience Act

Euractiv reports that the EC will introduce its proposal for a Cyber Resilience Act this week.  The Act will address cybersecurity issues with consumer connected devices.  It will cover "products with digital elements" defined as "any software or hardware product and its remote data processing solutions, including software or hardware components to be placed on the market separately".  Products covered by sector-specific rules including medical devices, are outside the scope of the legislation.

Manufacturers of IoT products will need to comply with security requirements and ensure confidentiality of data.  They will be required to carry out regular stress testing and report issues to a nominated body.  Critical products which represent greater risk will have additional obligations and are divided into two classes.  Class I includes identity management systems, browsers, password managers, antiviruses and firewalls, VPNs, network management systems, physical network interfaces, routers and chips used for essential entities as defined in NIS2.  Class II, considered as higher risk, includes desktop and mobile devices, virtual operating systems, digital certificate issuers, general purpose microprocessors, card readers, robotic sensors, smart meters and all IoT, routers and firewalls for industrial use in a sensitive environment.

Obligations will extend down the supply chain with penalties for non-compliance of up to €15m or 2.5% of annual turnover, whichever is higher.

CJEU to hear reference from Belgium on IAB Europe TCF framework

The Belgian Market Court has reportedly suspended IAB Europe's appeal against the Belgian DPAs decision that its Transparency and Consent Framework is not GDPR-compliant, making a reference to the CJEU.  The CJEU is being asked to look at the definition of 'joint controller' and whether user consent signals sent via the TCF are personal data.

UK government call for information on proposed new cybersecurity duty for user accounts

The government has published a call for information on measures designed to enhance the security of online accounts, including those processing personal data.  These are described as a "Cyber Duty to Protect", formulated as part of the National Cyber Strategy. Proposals include possibly supplementing the approach to cybersecurity under the UK GDPR.  Responses are sought  on risks associated with unauthorised access to online accounts, actions currently taken to address the problem, and actions that should be taken as well as allocation of responsibility.  Responses will be used to develop proposals which will include appropriate security measures for account providers and organisations processing user account personal data.

DHSC policy guidelines on secure data environments for NHS data

DHSC has released a policy paper setting out Secure data environment policy guidelines for data platforms hosting NHS data accessed for research and analysis.  The guidelines set out expectations for how secure data environments will be used for NHS and social care data, and the rules by which all platforms providing access to NHS data will need to comply.  The policy sets out 12 secure data environment guidelines based on the Five Safes framework of principles.  The guidelines set out standards on cybersecurity, transparency, open-working and code sharing, anonymisation, data input, use of data, and patient and public involvement.

ICO publishes draft section 5 of anonymisation, pseudonymisation and PETs guidance

The ICO has published chapter 5 of its draft guidance on anonymisation, pseudonymisation and privacy enhancing technologies (PETs).  The first four chapters are under consultation which closes on 16 September.  It is unclear whether that date will be extended in order to include a consultation on chapter 5 which focuses on PETs.

Telecommunications (Security) Act 2021 in force from 1 October 2022

The Telecommunications (Security) Act 2021 (Commencement) Regulations 2022 have been made.  They bring the Telecommunications Security Act 2021 (TSA) into force from 1 October 2022.  The Electronic Communications (Security Measures) Regulations 2022 under the TSA will come into force on the same date.

The TSA strengthens the security framework for 5G technology and full fibre networks.  The Regulations set out specific security requirements for providers.  A code of practice provides further technical detail.

News as at 8 September 2022

Second reading of UK's Data Protection and Information Bill postponed

The second reading of the UK's Data Protection and Information Bill did not take place on 5 September as planned.  A government spokesperson said the decision not to move to second reading was in order to allow "ministers to further consider this legislation".  This implies that there may be changes to the Bill which was tabled in July 2022 following a lengthy consultation process.  The Prime Minister has expressed her intention to review and then repeal or replace all EU law by the end of 2023.  It is possible that the pause in the legislative process will result in changes to the first version of the Bill although unlike the Bill of Rights, it has not (yet) been pulled.

Instagram fined €405 million for breach of children's privacy

Instagram (owned by Meta) is facing a €405 million fine for GDPR breaches from the Irish Data Protection Commissioner.  While details of the fine had not been published at the time of writing, the Irish DPC has confirmed the amount which is the second largest fine handed down under the GDPR and follows a two year investigation.  The fine relates to Instagram allowing users aged between 13-17 to run business accounts from the platform which included their phone numbers and email addresses and to the fact that accounts for 13-17 year olds were set to public by default.

Instagram has said it is reviewing the final decision and points to the fact that it has updated its settings to include more safety features, including setting children's accounts to private by default and ensuring adults can no longer message teens who don't follow them.

California approves Age Appropriate Design Code Act

The California legislature has approved an Age Appropriate Design Code Act heavily influenced by the ICO's Age Appropriate Design Code.  If, as expected, it is signed into law, it will impact businesses providing online services likely to be accessed by children.  It is expected to apply from summer 2024.

ICO updated guidance and simplified process for BCRs

The ICO published updated guidance and revised application forms and tables to simplify the UK BCR application and approval process.  A key change is the revision of the referential table which the ICO says must demonstrate the applicant's "understanding of the spirit and intent behind Article 47".  The ICO also calls for a BCR policy to be included in the UK BCR document.  This policy should be published in full to give individuals information about transfers of their personal data under the BCRs.  See our article for more.

EDPB and EDPS joint Opinion on EC's draft Regulation to Prevent and Combat Child Sexual Abuse Online

The EDPB and EDPS have published a joint Opinion on the EC's draft Regulation to Prevent and Combat Child Sexual Abuse Online.  The Opinion expresses concerns that in its current form, the proposal may present an increased risk to individuals and a threat to their privacy.  It suggests the draft Regulation could provide scope for general and indiscriminate content monitoring.  Concerns are also raised over the provision for the use of AI and other technologies to scan user communications which could result in errors as well as a high level of intrusion.  The Opinion emphasises encryption and particularly end-to-end encryption as an effective privacy tool and cautions against any regulation which might curb its use.

Naming a spouse or partner can be processing special data, says CJEU

The CJEU has placed a broad interpretation on the scope of what constitutes special data under Article 9 GDPR.  In a reference from Lithuania, the CJEU held that publishing the name of a civil servant's spouse, partner or cohabitant makes it possible to determine their sexual orientation and can therefore constitute processing of special data.  The data in question is published in Lithuania as part of a requirement on civil servants to disclose their interests and those of their spouse/partner.  By extension, publication of interests could also disclose people's political views and union memberships. While this is not a surprising decision, it acts as a reminder to give proper consideration to the protection of this type of personal data.

China clarifies data export assessments and introduces SCCs

China has finalised Security Assessment Measures for Cross-border data transfers.  These came into effect on 1 September 2022, and clarify when and how to carry out a data export security assessment which is required before data is exported by critical information infrastructure operators.  The Measures specify a six month grace period until 31 March 2023 for affected companies to complete their assessments.  See here for more.

China has also presented draft SCCs for approval.  The consultation period closed at the end of July and final versions are expected soon as we discuss here.

Final decision on Meta's EU-US data transfers subject to Article 65 procedure

The Irish Data Protection Commissioner's draft decision to stop Meta transferring personal data from the EU to the USA is subject to the Article 65 procedure after concerns were raised during the Article 60 process.  It is thought that at least some of the objections related to the decision not to fine Meta for previous unlawful data transfers.  Meta continues to threaten withdrawal of its Facebook and Instagram services in the EU if the ban is agreed.

CNIL intends to fine Criteo €60 million for unlawful targeted advertising and profiling

The CNIL reportedly issued a preliminary notice of a €60 million fine to adtech company Criteo.  The fine follows a complaint by Privacy International.  The CNIL reportedly intends to fine Criteo for GDPR violations related to unlawful targeted advertising and profiling.  Criteo now has the right to make a written response before the CNIL issues a draft decision which will be subject to the Article 60 cooperation and consistency process.

Proposals for Regulations and Code of Practice under Telecommunications (Security) Act

In its response to a ten week consultation on drafts of the Electronic Communications (Security Measures) Regulations and Telecommunications Security Code of Practice, the government has set out its proposals for regulation to form part of the new security framework under the Telecommunications (Security) Act 2021.  As a result of the consultation, the government is making changes to the drafts ahead of commencement of the new framework in October. The new regulations will help ensure providers protect data, software and equipment which have critical functionality, and help them identify and mitigate security risks.

CMA publishes ICO reports and taxonomy on data protection harms

The CMA has published an ICO report on data protection harms and the ICO's taxonomy, and an ICO-commissioned report which reviews literature relevant to data protection harms.  The intention is to analyse different types of harms which arise as a result of data breaches or the inability to exercise data protection rights, and to look at their impact on individuals.  This covers a range of impacts from financial loss to emotional distress.  The report also looks at the wider impact of these kinds of harms on society.

House of Commons Library research briefing on Data Protection and Digital Information Bill

The House of Commons Library has published a research briefing on the Data Protection and Digital Information Bill which looks at the proposed changes the UK's data protection regime and sets them in context.  It's quite helpful in that it sets out what the consultation said, what the response said and what the draft Bill does as a result for various elements.  

News as at 20 July 2022

Data Protection and Digital Information Bill introduced to Parliament

The government has introduced the Data Protection and Digital Information Bill to Parliament.  It covers reforms to the UK GDPR, Data Protection Act 2018 and PECR, but also:

• access to customer and business data

• electronic signatures, seals and other trust services

• disclosure of information to improve public service delivery

• sharing of data for law enforcement

• information standards for health and social care

• biometric data

• the role of the Information Commission.

The personal data provisions are not surprising as they are broadly as outlined in the government's response to its consultation published in June (see here for more). As expected, the government intends to clarify certain aspects of the law (eg a definition of scientific research, and further processing) as well as change the rules in other areas including to provide more flexibility around notifying individuals when using their data for scientific research purposes, remove the requirement for a representative for a non-UK controller and remove of the requirement to appoint a DPO.  There will be a new approach to the government's assessment of 'adequate' international data transfers – under Schedule 5 of the Bill the government will consider whether the standard of protection provided in a third country is materially lower than the standard of protection provided under UK law - and there are reforms to the Information Commissioner's Office.

Changes to PECR will impact the way cookies are used and extend soft opt-in to marketing communications to non-commercial organisations.  The Bill also covers access to data for law enforcement and national security, information standards and interoperability for IT products and services supplied to health and adult social care sector. It provides for sector based smart data schemes with supporting regulation, to secure trusted data sharing.

We'll be taking a look at the headline issues in the Bill at our webinar on 26 July.  Click here to sign up.

UK government proposals on regulating AI

The DCMS has announced its AI Action Plan, part of its National AI Strategy. An AI paper sets out proposed rules based on six rather vague principles, which regulators must apply with flexibility, to support innovation while ensuring use of AI is safe and avoids unfair bias.  Rather than centralising AI regulation, the government is proposing to allow different regulators to take a tailored approach to the use of AI which is more contextual.  Regulators including Ofcom, the CMA, the ICO, the FCA and the MHRA will be asked to implement the core principles which are:

• ensure AI is used safely
• ensure AI is technically secure and functions as designed
• ensure AI is appropriately transparent and explainable
• consider fairness
• identify a legal person responsible for AI
• clarify routes to redress or contestability.

Regulators will be encouraged to use 'light touch' options including guidance and sandboxes and to coordinate their approaches.

The paper is subject to a call for evidence. Responses will be considered alongside further development of the framework in an AI White Paper which will look at how to put the principles in practice.  This should be published towards the end of 2022.

An AI Action Plan has also been published to show progress to date and identify priorities for the coming year.

ICO sets out strategic plan to 2025

The ICO has set out its strategic plan from 2022-25. The Information Commissioner John Edwards, said the focus will be on issues disproportionately affecting already vulnerable or disadvantaged groups.  This includes children, AI, algorithmic bias and malicious telemarketing.  The ICO will, for example, investigate the use of AI and possible bias in recruitment and other areas.  It will also issue further guidance, privacy by design templates, and set up a moderated discussion platform.

EDPB adopts criteria on closer cooperation on strategic cases

The EDPB has adopted a set of criteria to assess whether a case may be of "strategic importance" warranting closer cooperation between regulators.  These cases are usually 'one stop shop' cases which relate to a potential high risk to the rights and freedoms of individuals in more than one Member State.  The EDPB suggests at least one of the following criteria should be taken into account:

• a structural or recurring problem in multiple Member States, particularly where there is an issue relating to the interpretation, application or enforcement of the GDPR
• a case relating to the intersection of data protection and other areas
• a case which affects a large number of individuals in more than one Member State
• a case involving a large number of complaints in multiple Member States
• a case concerning a fundamental issue falling within the scope of EDPB strategy
• a case where the GDPR implies that a high risk can be assumed, for example, relating to special data, processing the data of minors, or where a DPIA is required.

Any Member State SA can propose a case which meets at least one of the criteria for consideration for closer cooperation.  The EDPB will then decide whether to identify it as a case of strategic importance, at which point it will be prioritised and supported by the EDPB.  This is in addition to the criteria set out in Chapter VII GDPR.

EDPB and EDPS Opinion on European Health Data Space

The EDPB and EDPS have issued a joint Opinion on the proposal for a European Health Data Space.  This sets out some overarching concerns including that the EHDS will provide for add-on rights already covered under the GDPR.  The regulators are concerned this might weaken privacy rights under the GDPR, particularly in relation to secondary uses of data.  There are also concerns over the interaction with the EC Data Governance Act, Data Act and AI Act.  Diverse regulation in this area across Member States is another issue.

In addition, the EDPB and EDPS recommend excluding wellness and other digital app data from the scope of the EHDS, and not extending the scope of GDPR exceptions regarding data subject rights.

ICO transparency manual on pilot enforcement powers framework

The ICO has published an FOI and Transparency regulatory manual 2022. This sets out a pilot framework for the ICO's regulatory action under its statutory powers under the FOIA and the Environmental Information Regulations 2004.  It explains the evidence the ICO will consider, levels of action the ICO will undertake, and aggravating and mitigating factors the ICO may consider.

ABPI guiding principles on use of NHS data for research purposes

The Association of the British Pharmaceutical Industry (ABPI) has released new guiding principles on the use of NHS data for research purposes.  The aim is to ensure transparency and that the benefit of the data use is shared with patients.  The guidelines are underpinned by five principles which supplement existing regulatory requirements and statutory safeguards applicable to the use of health data. These include transparency, fairness, and compliance with data protection law.

News as at 14 July 2022

EC corrects Dutch DPA's strict interpretation of 'legitimate interests'

The European Commission has written to the Dutch DPA to set out the law on legitimate interests as it says the Dutch DPA's assertion that purely commercial interests cannot qualify, is incorrect.  The Commission explains the three part test for reliance on legitimate interests in the context of the GDPR, the Google Spain case and the FashionID case.  It underlines the fact that while purely commercial interests can satisfy the first limb of the test (establishment of a legitimate interest behind the processing), the questions as to whether the processing is necessary, and the balancing exercise to establish whether that interest is overridden by the rights and freedoms of the data subject, also have to be answered before using legitimate interests as a lawful basis.  Neither of the second two parts of the test preclude purely commercial interests satisfying all three parts of the test.

Irish DPC intends banning Meta's data transfers to the USA

The Irish Data Protection Commissioner has sent a draft decision to the other EU regulators which sets out its intention to ban Meta (Facebook) from transferring personal data to the USA.  This has the potential to cut of EU access from services including Facebook and Instagram.  The Irish DPC carried out an 'own volition' investigation in the wake of the Schrems II judgment.  The decision is now subject to the Article 60 process and, potentially, to an EDPB decision under Article 65, should there be insufficient agreement with the ruling.  NOYB has said they expect objections to the draft decision to be made by other EU regulators.

UK government second post-implementation review of NIS Regulations

The government has published its second post-implementation review of the NIS Regulations. The review concluded that the Regulations work well on the whole, but identified areas for improvement including:

• a revised definition of 'reportable incident' to ensure the right type of incident is captured
• additional guidance to identify which organisations qualify as relevant digital service providers – the ICO may be given enhanced information gathering powers to this end
• greater flexibility to ensure relevant organisations and sectors are covered
• more to secure supply chains used by operators of essential services
• greater consistency across sectors
• provision of adequate resources for regulators, measures to ensure enforcement takes place.

The government expects that the Cyber Resilience Proposals, currently under consultation, will address some of its concerns.  Reviews will now take place every five years.

UK and South Korea agree data adequacy in principle

The UK and South Korean governments have reached a data adequacy decision in principle.  The decision, once finalised, will allow for the free flow of personal data between the two nations without the need for additional transfer mechanisms (although technically this is already in place as the UK retained the effect of EU adequacy decisions made prior to Brexit on a provisional basis).  The ICO has also signed a Memorandum of Understanding with the South Korean Personal Information Protection Commissioner.  This provides for continuing collaboration but does not involve data sharing.  The EC adopted a data adequacy decision in favour of Korea in December 2021.

ICO research into application of privacy by design

The ICO is asking to hear from designers and product team members about how they consider privacy by design in practice when designing digital products.  The ICO will used the feedback to its consultation to provide more practical support on implementing privacy by design.

Don't make ransomware payments, say ICO and NCSC

The ICO and NCSC have asked solicitors to ensure they don't advise clients to pay ransomware demands.  They remind organisations that high risk data breaches should be reported to the ICO, and that the NCSC can provide support and incident response guidance to mitigate harm.

News as at 7 July 2022

Ryder review on governance of biometric data published

An independent legal review of the governance of biometric data in England and Wales has been published. It was commissioned by the Ada Lovelace Institute in 2020 following calls from the Commons Science and Technology Select Committee, and was led by Matthew Ryder QC. The Ryder Review is supplemented by a policy report from the Institute.

The Review makes ten recommendations to protect fundamental rights, particularly data and privacy rights including for:

• a new technologically neutral statutory framework which sets out considerations and processes which must be followed by public and private bodies before biometric technology can be deployed against members of the public
• legislation that covers the use of biometrics for categorisation (or classification) as well as for unique identification of individuals
• sector and/or technology-specific codes of practice, including, as soon as possible, a legally binding code governing the use of LFR (live facial recognition technology).  The review says use of LFR in public should be suspended until this in place. The framework should supplement, not replace, existing duties under the Human Rights Act 1998, Equality Act 2010 and Data Protection Act 2018
• the establishment of a national Biometrics Ethics Board with a statutory advisory role in respect of public-sector biometric use
• further work on private-sector use of biometrics (as this study focused more on the public sector).

ICO releases Global Privacy Assembly guidance against credential stuffing attacks

The ICO has released a report from the Global Privacy Assembly's International Enforcement Working Group which highlights the growth of credential stuffing cyberattacks and provides guidance on how to prevent, detect and mitigate their risk.  This type of attack takes compromised logins and uses bots to try and log in to other sites with them, on the assumption that many people use the same passwords across multiple sites and devices.

Recommendations made in the report include:

• using multi-factor authentication
• using password managers or non-personal combinations of random words and numbers

• checking accounts for unusual activity or unauthorised transactions

• ensuring device software is regularly updated and patched

Guidance on incident response plans is also provided.

ICO revised approach to public sector enforcement

The ICO has set out a revised approach to working more effectively with public authorities.  Its intention is to use its discretion to reduce the impact of fines on the public sector, instead relying more on its wider powers including warnings, reprimands and enforcement notices.  Fines will only be issued in the most serious cases.  In addition, the ICO will work more closely with the public sector to encourage data protection compliance and prevent harms from occurring.

The ICO will include this initiative as part of its three year strategic vision, ICO25, to be further set out over the coming weeks.

Conseil d'État confirms CNIL's Amazon fine

The Conseil d'État has confirmed the CNIL's 2020 decision to fine Amazon Europe €35 million for dropping cookies without consent and for a lack of transparency in breach of the French Data Protection Act which implements the ePrivacy Directive.  The Conseil confirmed that the CNIL is competent to impose sanctions outside the GDPR's one stop shop mechanism, and that it had jurisdiction to do so in the context of Amazon's activities in France, even though Amazon did not have its main establishment there.  It also confirmed that the amount of the fine was not disproportionate relative to the seriousness of the breaches, the scope of the processing and the financial resources of the company.

News as at 30 June 2022

UK government response to consultation on proposals to standardise cybersecurity qualifications and certifications

The UK government has published its response to its consultation on standardising cybersecurity qualifications and certifications.  Based on the feedback it received, the government has decided not to legislate at this point.  It has, however, empowered the UK Cyber Security Council to award chartered status to suitably qualified cyber security professionals in 16 different specialism categories at a range of levels of expertise.  The Council will run a pilot for the specialisms of Risk Management and Security Architecture this summer and will formally launch the standards in 2023.  The launch of standards will then be rolled out by 2025.  There will also be a voluntary register of accredited individuals.

Is the EU planning to introduce data localisation requirements for cloud services?

Euractiv reports that the draft Cybersecurity Certification Scheme for Cloud Services (EUCS) contains data localisation and sovereignty requirements which would impact cloud service providers in the EU market.  The EUCS is secondary legislation being made under the EU Cybersecurity Act.  It sets up a voluntary, EU-framework for cybersecurity certificates.  Providers will be rated as providing basic, substantial or high assurance levels.  The current draft reportedly places sovereignty requirements on high-level assurance products and services (which will  likely cover cloud service providers), and would ensure EU law is primary, and that maintenance, operations and data must be located in the EU.  Immunity from non-European access would be guaranteed by requiring cloud service providers to be headquartered in the EU and not controlled by non-EU entities.

If published as reported, these proposals are likely to prove highly controversial, particularly if, as expected, the certification scheme becomes mandatory.

Garante bans use of Google Analytics and similar technologies transferring data to the USA

The Italian DPA, the Garante, has effectively banned the use of Google Analytics and similar technologies which export personal data from Italy to the USA. The regulator said that GA data cannot be adequately protected on transfer to the USA as a truncated IP address would not qualify as anonymised given Google is able to re-identify it.  It has asked all Italian website operators to verify that the use of cookies and other tracking tools on their website complies with data protection law, particularly in relation to GA and similar services. The Garante has set a 90 day compliance deadline and will begin enforcing after that. The Garante is following the decisions by the French and Austrian regulators.

News as at 16 June 2022

CNIL Q&As suggest transfers using Google Analytics are only lawful under limited circumstances

In February 2022, the CNIL found that an unnamed French website manager's use of Google Analytics resulted in the unlawful transfer of personal data to the USA.  Other French data controllers who were the subject of NOYB complaints have also received enforcement notices, and the Austrian regulator reached similar conclusions in responses to complaints they received.

The CNIL has now published a set of Q&As regarding its decisions.  Clarifications made by the CNIL include:

• all data controllers using GA in a similar way to the organisations which were given formal notices must now consider this unlawful under the GDPR
• Google's Standard Contractual Clauses (SCCs) cannot by themselves ensure an adequate level of protection for EU data from access by third country law enforcement agencies even though Google said it had provided for additional organisational and technical measures
  all data collected through GA is hosted in the USA
• Google does offer an IP address anonymisation function but not for all transfers and it is not possible to determine whether or not the data is anonymised before it is transferred to the USA.  There is a risk that information may be re-identified.  The CNIL suggests it is not possible to configure GA in such a way that ensures only anonymous data is sent to the USA in all situations
• encryption may be a sufficient additional safeguard but only where Google is not encrypting the data itself and the European data exporter or other entity established in a territory offering an adequate level of protection to the data, has exclusive control of the encryption keys
  an additional safeguard solution using a proxy server (which meets the June 2021 EDPS guidelines) to avoid direct contact between the internet user's terminal and the GA servers would be acceptable
• explicit consent of data subjects cannot be relied on to make the transfers lawful as this cannot be used for systematic transfers
• data controllers cannot adopt a risk-based approach to transfers made using GA or any other tool which transfers data to a third country.  If it is possible that the data may be accessed by government agencies in third countries (and not just where such access is probable), it is necessary to take additional technical measures to make the access impossible or ineffective

In short, the CNIL is saying that use of GA (or any similar technology where the data is hosted on servers in third countries) will result in unlawful data transfers unless the data is encrypted before it leaves the EA, by an EU (or adequate country) data controller with exclusive access to the encryption keys, or where a proxy server is used.  Whether or not the data being transferred is likely to be accessed by third country government agencies is irrelevant.

European Parliament Committee Opinion on Data Act proposal

The European Economic Social Committee has published its Opinion on the draft Data Act.  Among other things, it suggests amending the Act so that:

• those in charge of data services are required to use mainly renewable resources
• the scope of the Data Act be extended to cover all physical products that obtain, generate or collect data concerning their performance, use or environment and that are able to communicate that data via a publicly available electronic communications service
• users and data recipients are provided with unhindered access to data which is essential to the functioning, repairing or servicing of connected products and related services.

US Congress bipartisan group proposes American Data Privacy and Protection Act

A bipartisan group of lawmakers has circulated a draft federal data protection law.   The proposal includes protections for children's data, limits on targeted advertising, a limited right of private action, data minimisation requirements, and various technical and organisational requirements.  
While very much in its initial stages, the fact that the proposal is bipartisan has led to suggestions that this may be the bid for a Federal US privacy law that succeeds, particularly as it consolidates learning from previous failed privacy bills.

News as at 23 June 2022

UK government publishes response to consultation on data protection reform

The UK government has published its response to its September 2021 consultation 'Data: a new direction' which set out its proposals for reforming the UK's data protection regime.  In general, the proposed changes are less controversial than were originally discussed but there will be significant divergence from the UK (and therefore the EU) GDPR, and the the Privacy and Electronic Communications Regulations (PECR).

See our article by Victoria Hordern and Debbie Heywood for more on the

AG opinion on GDPR access right

AG Pitruzzella has opined in a reference from Austria on interpretation of the Article 15(1)(c) access right under the GDPR.  Article 15(1)(c) provides that individuals can obtain information from a controller about the recipients or categories of recipient to whom their personal data has been or will be disclosed.  The AG was asked, in summary, whether it was at the controller's discretion to decide whether to disclose precise recipients, or categories of recipient.

The AG said that it is the data subject, not the controller, who has the choice.  This is backed up by the wording of Recital 63 (which refers to the right to know the recipients of data), and due to the purpose of Article 15(1)(c). The right is intended to allow data subjects to verify the lawfulness of any disclosure and confirm recipients of their data are authorised.  This implies that the information provided to them must be as precise as possible.

EDPB adopts final guidelines on certification as transfer tool

The EDPB has adopted guidelines on certification mechanisms as a tool for transfer. The guidelines are in four parts and look at aspects relevant to various actors from certification bodies, to users.

ICO to keep portion of fines

The ICO has announced that it will now be able to keep a portion of funds paid as civil and monetary penalties it imposes.  Previously, the amounts went to the government's Consolidated Fund.  They will now be used to cover pre-agreed, specific and externally audited litigation costs.

News as at 26 May 2022

Data Governance Act nears completion

The Data Governance Act has cleared the last hurdle to adoption following formal adoption by the Council of the European Union without further changes.  It will now be signed by the Presidents of the co-legislators and published in the Official Journal.  It will enter into force 20 days after publication and will apply 15 months after it comes into force.

EDPB guidelines on calculation of fines

As mentioned last week, the EDPB has published new draft guidelines for DPAs on calculating GDPR fines.  The EDPB says the starting points for assessing the amount of a fine are categorisation of infringement by nature, the seriousness of the infringement, and the turnover of the business at fault.

The EDPB outlined a 5-step approach:

• Establish whether there is one or more instances of sanctionable conduct and whether they relate to one or multiple infringements.
• Use the EDPB's harmonised method to determine the starting point for the fine (based on the seriousness of the infringement).
• Consider aggravating or mitigating factors based on the EDPB's consistent interpretation.
• Determine the legal maximum of fines as set out in Article 83(4)-(6) GDPR.

• Analyse whether the calculated final amount meets the requirement of effectiveness, dissuasiveness and proportionality or whether further adjustments to the amount are necessary.

Despite providing harmonisation and transparency, the guidelines are just that.   Above all, the individual circumstances of the case must be a determining factor.

The draft guidelines are open for consultation until 27 June 2022.

ICO fines Clearview AI £7.5 million

• The UK's ICO has fined Clearview AI just over £7.5 million for breaches of UK data protection law following a joint investigation with the Australian Information Commissioner.  Clearview AI has a global online facial recognition database which relies on images scraped from the internet.
  The ICO found that Clearview AI had:
• failed to give information to UK individuals in a fair and transparent manner
• failed to have a lawful basis for collecting the information
• failed to have suitable data retention policies
• failed to provide higher data protection standards required for biometric data
• asked for additional information from people inquiring whether they were on their database.

The ICO has also ordered Clearview AI to stop obtaining personal data of UK residents which is publicly available on the internet, and to delete the data of UK residents from its systems.

EDPS Opinions on data security

The EDPS has published Opinions on EU proposals to set out a common high level of cybersecurity and information security in EU institutions.  The EDPS welcomes the proposals but suggests the text could be improved by including greater assurances for the rights and freedoms of individuals where their data is processed for security operations.  He recommends ensuring all proposed security measures have a valid legal basis and are necessary and proportionate.  In particular, he says the Cybersecurity proposal needs to achieve better alignment with the recently approved NIS2 Directive.

Spanish DPA fines Google €10 million

The Spanish DPA (AEPD) has fined Google €10 million for breaches of the GDPR.  It found that Google had passed personal data relating to right to be forgotten requests to a third party in the USA without having a lawful basis for doing so.  This also had the effect of preventing individuals from having their data erased.  The data was transferred under the Lumen Project, an academic project which involved creating a database of content takedown requests.  The AEPD said that individuals were not given a chance to opt-out of their data being transferred and also criticised Google's process for submitting erasure requests.  In addition to the fine, the AEPD ordered Google to delete all personal data shared with Lumen and ensure Lumen did the same.

Google has said it is considering its response but underlined that it has already started re-evaluating and redesigning its data sharing process with Lumen.

CNIL criteria for assessing legality of cookie walls

The French DPA (CNIL) has published guidance on criteria for assessing the legality of cookie walls. It stresses that the GDPR requirement that consent be freely given does not automatically mean cookie walls cannot be used at all.  The key is whether users are given genuine alternatives to accepting cookies.  For example, provided the cost of access is reasonable, it might be acceptable to offer users the chance to use a paid-for cookie-free service, as an alternative to a free service which requires consent to cookies.

News as at 19 May 2022

EC adopts draft Regulation to prevent and combat child sexual abuse online

The European Commission has adopted a new European strategy for a Better Internet for Kids (BIK+).  The strategy aims to improve age-appropriate digital services and ensure children are better protected, empowered and respected online.  

It has been adopted together with a draft Regulation to prevent and combat child sexual abuse online.  The Regulation will oblige providers to detect, report and remove child sexual abuse (CSA) material on their services.  Providers will need to assess and mitigate risk of misuse of their services and take proportionate measures to address issues.

An EU Centre on Child Sexual Abuse will be created to assist service providers and act as a hub of expertise for providers, assist law enforcement and provide victim support.

Key elements include:

• Providers of hosting and interpersonal communication services will have to assess the risk of their services being misused to disseminate CSA content or to groom children.  They will also be required to propose risk mitigation measures.
• Member States will need to designate national authorities to review risk assessments.  Where they determine significant risk remains, they can ask a court or independent national authority to issue a detection order for known or new CSA material or grooming.  Detection orders will be time-limited and will target a specific type of content on a specific service.
• Companies which have received a detection order will only be able to detect content using indicators of CSA verified and provided by the EU Centre for CSA.  Detection technologies must only be used for CSA and will need to be the least privacy-intrusive in accordance with state of the art, as well as limiting false positives to the maximum extent.
• There will be clear reporting provisions.
• National authorities will be able to issue removal orders if material is not swiftly taken down.  Internet access providers will be required to disable access to CSA content which cannot be taken down, for example because it is hosted in a jurisdiction which will not cooperate.
• App stores will be required to ensure children cannot download apps which might expose them to a high risk of grooming.
• There will be oversight mechanisms and availability of judicial redress.

There are concerns that, if the Regulation remains in its current form, it will allow for significant intrusion on privacy.  The positive obligation on businesses to detect and remove child abuse images could provide scope for scrutiny of encrypted messages and potential profiling.  The legislation may change significantly on its way to enactment if the current proposals prove sufficiently controversial.

Political agreement reached on NIS2

Provisional political agreement has been reached by the European Parliament and Council on the NIS2 Directive. NIS2 builds on the NIS Directive.  It covers medium and large entities across a wider range of sectors including public electronic communications services and digital services.  It also covers the healthcare sector.  It strengthens cybersecurity requirements and addresses security of supply chains and supplier relationships.  It also streamlines reporting obligations and introduces stricter enforcement mechanisms.  In addition, it will help increase information sharing and cooperation on cyber crisis management at EU and Member State level.

Member States will have 21 months to transpose the Directive after it comes into force so it is expected to apply some time in 2024.

US set to ban access to US personal data by certain countries

President Biden is reportedly preparing to issue an executive order which would give the US Department of Justice power to stop certain foreign countries from accessing the personal data of Americans.  Commercial transactions involving the transfer of data to third countries deemed to pose a risk to national security could be reviewed and stopped.  The draft order is currently being reviewed by government agencies.

Google announces new user controls

Google has announced additional user controls which will enable users to customise ads through an ad centre, and to request removal of search results giving contact details.  This will not impact search results from news publications. Additional security features will also be introduced including virtual credit cards which mask actual credit card numbers.  More controversially, Google is also reportedly planning to allow drivers' licences to be stored in wallets.

EDPB 2021 Annual Report and May plenary

The EDPB has published its 2021 Annual Report. It highlights its work on Schrems II supplementary measures, and opinions on the UK adequacy decisions, new SCCs  and guidelines on codes of conduct as a tool for transfer.  Its digital work covered opinions on EC legislative proposals including the Data Governance Act, the Digital Services Package and the AI Act.  Law enforcement was another priority and various guidance documents were published.

The EDPB's objectives for 2022 include guidance on legitimate interests and on the use of facial recognition by law enforcement published for consultation at the May plenary session.  The EDPB also published draft Guidelines on the calculation of administrative fines under the GDPR for consultation.

News as at 12 May 2022

UK Data Protection Bill announced

The UK government has announced a Data Reform Bill to streamline the UK's data protection laws.  The Bill is likely to move the UK away from the GDPR regime in some areas but more detail will emerge when the government publishes its response to its consultation on data protection reform.  This is likely to be in a few weeks' time and the Bill is then expected to be published in the Summer.  This suggests we may see a draft before Parliament begins its summer recess on 21 July.  The new Bill of Rights which was also announced in the Queen's speech may also impact the data protection regime.

Government calls for views on improving security and privacy of apps and app stores

DCMS has published a call for views on improving the security and privacy of apps and app stores, together with supporting documents.  Following a review of the app store ecosystem, the government finds that consumers continue to have access to poorly developed and malicious apps, with the most prevalent risk being in-app malware.  App stores are not adequately signposting requirements to developers and users are failing to prioritise security and privacy when downloading apps.  

The government seeks views on its plans:

• To create a voluntary code of practice for app store operators and app developers.
• A range of interventions including the government working closely with app store operators and consumer groups, as well as the ICO, to develop further tools and guidance to underline the principles of data protection by design and default.

The call closes on 29 June 2022.  The government will publish a response and then, if the idea for a code of practice is adopted, it will be published later this year.

EDPB and EDPS Joint Opinion on draft Data Act

The EDPS and EDPB have published their Joint Opinion on the proposed Data Act.  While they welcome the aim of the Data Act to work within the current data protection framework, they express "deep concerns" about the lawfulness, necessity and proportionality of the obligation to make data available to Member State and EU public sector bodies in case of "exceptional need".  They ask the co-legislators to define more clearly when this might apply and which bodies might request data in those circumstances.

The EDPS and EDPB also advise provision for limitations or restrictions on the use of data generated by the use of a product or service by an entity other than data subjects, particularly where the data is likely to allow profiling or would otherwise entail high risks to the rights and freedoms of individuals.  They also recommend clear limitations regarding the use of the relevant data for direct marketing or advertising, employee monitoring, calculating and modifying insurance premiums, and credit scoring.  Limitations on the use of data are also advocated to protect vulnerable data subjects, particularly children.

ICO updated AI and data protection risk toolkit

The ICO has launched an updated AI and data protection risk toolkit following comments on its beta version.  The toolkit is intended to provide practical support to organisations using AI systems.  It is intended to help organisations assess and mitigate risks to individuals.

AG Opinion on erasure of phone directory data

The AG has published an Opinion on the impact of a right to erasure request following withdrawal of consent to have personal data published in a public electronic telephone directory.  The rights that apply in terms of consent requirements and to erasure, are under the GDPR.  Under the ePrivacy Directive, however, Article 12(2)suggests that for the purpose of the publication of personal data in a public directory, consent need only be given once and not to a particular provider.  It applies to any subsequent processing of personal data by third-party undertakings active in the market of publicly available directories provided the processing is for the same purpose.

The AG was asked to consider what should happen when a data subject asks for their data to be removed from directories.  The AG said the CJEU should rule that:

• Consent is required in order to include contact details in directories published by a telecommunications operator or other providers of directories.
• A request to have that data removed constitutes an Article 17 GDPR erasure request.
• A Supervisory Authority may conclude that a controller must take all appropriate technical and organisational measures to inform third-party controllers ie the telecommunications operator and other providers of directories, that the data subject has withdrawn consent.
• Article 17(2) GDPR does not preclude an SA from ordering a provider of directories to inform search engine providers of requests for erasure.

News as at 5 May 2022

CJEU says consumer protection organisations can bring actions for breach of GDPR

The CJEU has ruled in a reference from Germany, that Member States can make provision for consumer protection associations to instigate actions for breach of data subject rights on the basis of infringement of rules on unfair commercial practices, consumer protection, or the use of invalid general terms and conditions.  They can do this at their own instigation, without the mandate of a specific data subject or infringement of specific rights.  Article 80(2) GDPR does not preclude this.

The reference was made in relation to Meta.  The Bundersverband (Federal Union of Consumer Organisations and Associations) alleged that Facebook Ireland (now Meta) had failed to provide fair processing information to users of free games on its app in breach of data protection law, and had also breached consumer protection and competition rules.  The German Federal Court of Justice asked the CJEU to decide whether or not the Bundersverband had standing under Article 80(2) GDPR.  

Crucially, the CJEU held that in order to bring a representative action, an authorised organisation need not identify a specific data subject.  Identifying an affected category or group may be sufficient.  Moreover, there doesn't need to be a specific infringement of a data subject's rights, nor proof of actual harm in a given situation.  This decision potentially opens the floodgates to actions brought by consumer protection organisations, for example, around cookie banners or marketing communications.  The organisation will be able to bring proceedings in relation to a suspected breach of consumer protection or data protection rules without having to do so through or at the instigation of an individual.  Read more.

In the UK, to which the CJEU decision does not apply (although the courts may take it into account), Meta is facing a representative action before the Competition Tribunal under the Consumer Rights Act 2015.  It alleges Meta abused its market dominance by setting an unfair price for the free use of Facebook in the form of the personal data it collects from users.  The class includes all people domiciled in the UK who used Facebook at least once between 1 October 2015 and 31 December 2019 unless they opt out.  It will be interesting to see how it develops.

EC draft Regulation to create European Health Data Space

As part of the European Strategy for Data, the European Commission has published a Regulation to create a European Health Data Space. This is the first draft legislation on the proposed common European data spaces.  The aim is to:

• give users control of their electronic personal health data, nationally and cross-border, as well as support their free movement by creating a genuine single market for electronic health record systems, relevant medical devices and high risk AI systems
• provide a consistent, trustworthy and efficient set-up for the use of health data for research, innovation, policy-making and regulatory activities.

Individuals will have access to their electronic health care records and will be able to add information, rectify inaccurate data, restrict third-party access, and have oversight of how their data is used.

Member States will be required to ensure patient summaries, prescriptions, images, image reports, lab results and discharge reports are issued and accepted in a common European format.  There will also be mandatory interoperability and security requirements.

Google announces app safety section and privacy labels for Google Play apps

Google has announced a new safety section for Google Play which will help people understand the data an app collects or shares, whether the data is secured and additional details which impact privacy and security. The safety section will be rolled out in stages ahead of a 20 July deadline for app developers. The safety section will detail:

• what type of data is collected and stored and how it is used
• whether the app uses security like encryption
• whether the app follows Google's 'Families Policy'
• whether the app needs the data to function or whether users have a choice about sharing it
• whether the app's safety section is verified by an independent third party
• whether the app allows users to request data deletion when they uninstall the app.

Developers will also be able to show whether the developer is sharing data with third parties.  Permissions, for example, to use location data, will be simplified.

Apple has a similar but not identical system but the use of privacy labels has been criticised as having potential to be misleading or inaccurate.  Google says it checks each data safety section.

EU Data Protection Authorities to step up cooperation

EDPB members have agreed to further enhance cooperation on strategic cases and to diversify the range of cooperation methods they use.  Each year, the DPAs will identify a number of cross-border cases of strategic importance for which an action plan with a fixed timeline for cooperation will be set.  Groups of DPAs may join together to work in groups or create an EDPB taskforce.  The DPAs have also committed to sharing information about enforcement strategies and priorities.

ICO publishes resources on acting in the best interests of children

The Children's Code requires online services to treat the best interests of the child as the primary consideration when designing and developing services likely to be accessed by children.  This involves considering how the use of their data impacts the rights held under the United Nations Convention on the Rights of the Child.  The ICO has created tools, templates and guidance to assist organisations in making assessments.

Data Standards Authority publishes new data standards

The Data Standards Authority has endorsed two new government data standards:

• The Beneficial Ownership Data Standard (BODS) sets out consistent processes to collect, use, exchange and publish information about ownership, beneficial ownership and control of companies and other organisations.

• The Open Referral UK Data Standard defines a way of gathering and using local authority public services data in a consistent directory structure.

These standards are intended to increase transparency and data sharing.

News as at 28 April 2022

Digital Markets Act text leaked

A leaked version of the negotiated version of the Digital Markets Act has been published.  There have been some significant changes since the first draft.  These include wide-ranging interoperability requirements on messaging services, and extended obligations on gatekeepers under Articles 5 and 6, including around use of data.

In particular:

• Web browsers and virtual assistants have been added to the list of core platform services.
• Users will have the right to download apps from the internet and third party app stores.
• App developers will be allowed to select which in-app payment solution they want to use.
• The requirement to provide access to app stores on fair, reasonable and non-discriminatory (FRAND) terms, has been expanded to include access to search engines and social networking services.
• Gatekeepers will (subject to certain conditions) have to ensure their messaging services are interoperable with those of their competitors without compromising end-to-end encryption.
• The prohibition on combining personal data across gatekeeper services or with personal data from third-party services without consent has been extended.  Gatekeepers must not process personal data from end users using third party services which use core platform services for their advertising purposes.  Nor can they combine personal data across their core services, nor cross-use personal data from core services in other separate services, nor use single sign-in across services unless the end user has consented (to GDPR standards of consent).  Consent for these purposes can only be sought once a year.
• Advertisers will be able to access both aggregated and non-aggregated data which must be provided by gatekeepers in such a way that advertisers can analyse it using their own software.

Google announces 'reject all' button

Google has announced it will roll out a 'reject all' button allowing users in the EEA, UK and Switzerland, to reject or accept all non-essential cookies on search or YouTube provided they are signed out or are in incognito mode. Customised options will also be available.  The roll-out has started in France (which has been particularly focused on cookie consent).

The news was welcomed by the ICO as a step in the right direction although Stephen Bonner, Executive Director of Regulatory Futures and Investigations, commented that "there's still a long way to go to address concerns around consent across the whole advertising industry…current approaches to obtaining cooking consent need further revision in order to provide a smoother and increasingly privacy-friendly browsing experience.".

US Department of Commerce announces new Global CBPR Forum for data flows

The US Department of Commerce has announced the creation of a Global Cross-Border Privacy Rules Forum with Canada, Japan, Republic of Korea, Philippines, Singapore and Taiwan.  The Forum aims to establish cross-border privacy rules and privacy recognition for processor systems, as well as privacy standards certification. It also considers interoperability with other data protection and privacy frameworks. A Declaration sets out the underlying principles of the forum.  Members will exchange views and share research, analysis and policy to develop best practice.  The Forum is theoretically open to all.

Draft EMA guidance on protection of personal data and CCI in the CTIS

• The European Medicines Agency (EMA) has published draft Guidance on how to approach the protection of personal data and commercially confidential information (CCI) in documents uploaded and published in the clinical Trial Information System (CTIS).  The draft guidance covers:
• the legal frameworkthe operation of the CTIS
• how to manage personal data in documents submitted to CTIS, focusing on anonymisation of various different categories of personal data eg trial participants, non-trial participants
• how to identify and redact CCI in documents submitted for publication to the CTIS
• protection of personal data and CCI in Good Clinical Practice inspection reports published to the CTIS.

News as at 12 April 2022

European Parliament adopts position on Data Governance Act

The European Parliament has adopted its position on the draft Data Governance Act. The European Council is expected to adopt the approved version without further amendments and it will then be published in the Official Journal.  The Data Governance Act establishes:

• conditions for the reuse of certain categories of protected data held by public sector bodies
• a framework for the creation and supervision of independent data sharing intermediaries
• a framework for registration and supervision of "data altruism" organisations which collect and process data for altruistic (non-profit) purposes
  common European data spaces in areas including health, the environment, mobility and finance
• the creation of a European Data Innovation Board – an expert group to help create harmonised standards and practices.

EDPB reserves judgment on planned Trans-Atlantic Data Privacy Framework

• The EDPB has welcomed the agreement in principle of a replacement for the Privacy Shield. However, it reserves judgment until it has seen the detail of the legal framework.  It confirms it will pay particular attention to:
• whether collection of personal data for national security purposes is limited to what is strictly necessary and proportionate
• how the independent redress mechanism respects EEA individuals' right to an effective remedy and to a fair trial
• whether any new authority part of this mechanism has access to relevant information including personal data when exercising its mission and whether it can adopt decisions binding on the intelligence services
• whether there is a judicial remedy against this authority's decision or inaction.

See here for more about the TADPF.

Goldacre report on health data published

The government-commissioned report into using health data for research and analysis has been published. Ben Goldacre was commissioned in February 2021, to look into how efficient and safe use of health data for research and analysis can benefit patients and the healthcare sector. The report, aimed at NHS policy makers, the government, and research funders, as well as those using health data for service planning, public health management and medical research, makes 185 recommendations over 112 pages.  Helpfully, an executive summary and a slightly longer summary have also been published.  The government is likely to include its response in its health and social care data strategy which is expected to be published later this year. The report recommends a move away from techniques like pseudonymisation and towards shared Trusted Research Environments (TREs).  The emphasis is on shared resources and processes to enable data sharing in a secure environment.  Investment in platforms and curation is seen as the key to resolving problems caused by the current fragmented approach, while preserving patient privacy.

CMA update on investigation into Meta's use of ad data

The CMA is investigating Facebook's collection and use of data in the context of providing online advertising services, including whether its single sign-on function gives it a competitive advantage. It has announced an extension to its information gathering period to summer 2022.

ICO latest guidance on data protection and COVID-19

The ICO has published guidance for businesses around use of personal data relating to the COVID-19 pandemic now that measures have been relaxed across the UK.  The ICO says organisations should ask themselves:

• how continuing to collect extra personal information will keep the workplace safe
• whether previously collected information is still required
• whether the desired result could be achieved without collecting personal data.

Current approaches should be reviewed to ensure they are still reasonable, fair and proportionate to current circumstances taking the latest government guidance into account.  Information collected during previous stages of the pandemic should be deleted if it is no longer required.  

Organisations should consider whether they (still) need to collect vaccination information.  There must be a compelling reason to do so and an appropriate lawful basis must be selected (in addition to any employment law requirements).

Data protection law does not prevent organisations from informing employees about positive cases, but individuals should not be named unless to do so is unavoidable, and only minimum information should be provided.

AG Opinion on right to be forgotten evidence

Advocate General Pitruzzella has opined on a reference from the German Federal Court on the issue of evidence to back up a request to have search results de-listed under Article 17 GDPR (and equivalent provisions under the Data Protection Directive).  

The applicants brought a claim against Google asking it to de-reference certain search results of articles whose accuracy they disputed, and to stop displaying thumbnail photographs distinct from the articles.  The referring court asked whether it was for the applicants to provide evidence that the information was untrue, or whether it was for Google to assume the claims were well founded and de-list, or to seek to clarify the facts.

The AG said it was for the data subjects to provide evidence of the falsity of relevant content where to do so is not manifestly impossible or excessively difficult.  The search engine operator should carry out checks which fall within its specific capacities.  Where possible, it should contact the publisher of the relevant web page.  Where appropriate, it could suspend the referencing on a temporary basis pending further information, or mark the results as containing disputed information.  There should be a balancing of the fundamental rights involved.

With regard to the thumbnails, the AG said there was no need to de-reference images from an image search on the basis of their connection to a name, as account should not be taken of the context of the publication on the internet in which the thumbnails originally appeared.

News as at 7 April 2022

FCA call for input on use of synthetic data

The FCA has published a call for input on the use of 'synthetic data' to support financial services innovation.  The FCA is looking for solutions which will enable greater data sharing for competition purposes and to facilitate innovation while preserving privacy.  The FCA believes that it would save on GDPR-related bureaucracy, as well as protecting the rights of individuals.  It is looking for views from a range of stakeholders on the potential benefits of using synthetic data, as well as possible limitations and risks.  The call closes on 22 June 2022.

TikTok settles US class action

TikTok has settled a class action which alleged that TikTok did not collect verifiable parental consent before processing personal information of under-13s in beach of the US Children's Online Privacy Protection Act.  The $1.1 million will split among the class which consists of US users aged under 13 who registered for or used TikTok or Muiscal.ly before the effective date of the settlement.   TikTok and some of its group companies are also facing a representative action in the High Court around use of children's data.

ICO fines business £80,000 for sending unsolicited marketing texts

The ICO has fined H&L Business Consulting Ltd £80,000 for sending nearly 400,000 unsolicited marketing texts which sought to capitalise on the pandemic by directly referencing lockdown when marketing a 'debt management' scheme.  The messages falsely claimed the scheme was government-backed when it was not even authorised by the FCA.  In addition, the company director had been uncooperative with the ICO.

Sri Lanka passes new data privacy law

Sri Lanka has passed its Personal Data Protection Act.  Heavily influenced by the GDPR, it will come into effect in stages from next year.

News as at 31 March 2022

Privacy Shield 2.0 agreed "in principle"

The EC and US government have announced agreement "in principle" of a new Trans-Atlantic Data Privacy Framework to facilitate frictionless data flows between the EU and USA. Full details have not been released but in its press release, the White House said the USA had made "unprecedented commitments" to:

• Strengthen privacy and civil liberties safeguards governing US signals intelligence activities
• Establish a new redress mechanism with independent and binding authority, and
• Enhance its existing rigorous and layered oversight of signals intelligence activities.

It goes on to say that the Framework ensures:

• Signals intelligence collection may be undertaken only where necessary to advance legitimate national security objectives and must not disproportionately impact the protection of individual privacy and civil liberties.
• EU individuals may seek redress from a new multi-layer redress mechanism that includes an independent Data Protection Review Court that would consist of individuals chosen from outside the US Government who would have full authority to adjudicate claims and direct remedial measures as needed.
• US intelligence agencies will adopt procedures to ensure effective oversight of new privacy and civil liberties standards.

The scheme will operate as before, on a self-certification basis signalling that an organisation complies with a set of Principles.

The announcement has been greeted with enthusiasm by organisations and privacy professionals.  Privacy campaigners including Max Schrems and NOYB, have, however, been more cautious (to put it mildly).  They warn that "we expect this to be back at the Court within months from (sic) a final decision".  This is based on the expectation that the final text of the Privacy Shield will use GDPR-friendly language (such as 'redress' and 'proportionality') but will not be underpinned by any changes in US surveillance laws.  A recent US Supreme Court decision (FBI v Fagaza), reinforced the rights of surveillance authorities to access personal data so it remains to be seen whether a meaningful redress system will be set up for EU citizens concerned about access to their data.

A final version of the new Framework is not expected for the next few months, after which it will go through an approval process, so it is unlikely to be in place in the short term.  Assuming it is adopted, even if there is an ensuing legal challenge, it should at the least hold for a year or two.  The EC and the US, not to mention businesses, will be hoping it fares better than that and provides a lasting solution where Safe Harbor and the original Privacy Shield failed.

Political agreement reached on Digital Markets Act

The EU Parliament and Council have reached provisional political agreement on the Digital Markets Act (final text not yet published although due imminently).  The DMA is intended to regulate digital markets, effectively to help 'level the playing field' and, focuses on those platforms (including social media) designated as "gatekeepers".  This means the bulk of the Act is aimed squarely at the tech giants although it will impact the wider market.  SMEs are specifically excluded from gatekeeper status although obligations may be placed on "emerging gatekeepers".

Recognising that data provides gatekeepers with a significant competitive advantage, many of the provisions relate to their use of data.  Gatekeepers will be required to share certain data with sellers on their platforms, and will be subject to restrictions on their use of personal data across their services.

Who are the 'gatekeepers'?

A platform will be a gatekeeper if:

• it has had annual turnover of at least €7.5 billion within the EU in the past three years, or it has a market valuation of at least €75 billion, and
• it has at least 45 million monthly end users and at least 10,000 business users established in the EU, and
• it controls one or more core platform services in at least three Member States.  Core platform services include marketplaces, app stores, search engines, social networking, cloud services, advertising services and web browsers.

If a gatekeeper does not agree with its designation as such, it can challenge the finding.

Gatekeeper requirements

Gatekeepers will have to:

• ensure users can unsubscribe from core platform services under similar conditions to which they signed up
• not require use of pre-installed default important software (eg browsers) with operating systems so users will be able to select their browsers, search engines and personal assistants
• ensure interoperability of instant messaging services, so the large messaging services will be required to be interoperable with smaller ones on request
• allow app developers fair access to supplementary functionalities of smartphones, such as NFC chips
• give sellers access to their marketing or advertising performance data on their platform
• notify the European Commission of mergers and acquisition.

Gatekeeper restrictions

Gatekeepers will not be allowed to:

• rank their own products or services higher than those of others
• reuse private data collected through one service for the purposes of another service
• have unfair terms and conditions for business users
• pre-install certain software applications
• require app developers to use certain services (for example payment systems or ID providers) in order to be listed on app stores.

Enforcement

Compliance with the DMA will be overseen by the European Commission. An advisory committee and high-level group will be set up to assist the Commission.  Member States will be able to empower their own competition authorities to start investigations into possible non-compliance and refer to the Commission.

Non-compliance will result in fines of up to 10% of annual global turnover, rising to up to 20% for repeat offences. Systematic non-compliance (at least three times in eight years) could lead to a market investigation and the imposition of structural or behavioural remedies.

Interaction with the Digital Services Act

The DSA, which is going through the legislative process running shortly behind the DMA, is another core pillar of EU digital regulation.  As such, there are areas of overlap, including around digital advertising.  At the press conference to announce political agreement on the DMA, Competition Commissioner Vestager said the DSA is likely to include a ban on targeted advertising without consent, as well as rules on advertising to minors.  The Commission is hoping to pass the two Acts around the same time.

Next steps

The DMA text will now be finalised and then needs to be approved by the Council and the European Parliament. It is expected to come into force in or around October 2022 and will come into effect six months later.

Digital Regulation Cooperation Forum portal launched

The Digital Regulation Cooperation Forum (DRCF) has launched a new digital regulation research portal.  The DRCF includes the CMA, Ofcom, the ICO and the FCA.  Its digital regulation research programme brings together over 80 pieces of recent research on emerging and future digital developments from eight regulatory bodies including the DRCF members, the IPO, the Bank of England, the ASA and the Gambling Commission.

CMA appoints Trustee to monitor Google 'Privacy Sandbox' commitments

The CMA has appointed ING Bank NV as Monitoring Trustee to monitor compliance with Google's commitments to the CMA regarding its Privacy Sandbox proposals.  Google's plans to replace third party cookie functionality on its Chrome browser, with Privacy Sandbox tools, are subject to a number of commitments and the Trustee will produce quarterly reports on compliance.  It will also inform Google if any further measures are required, and report to the CMA if it considers Google is not adhering.

National Data guardian evidence to digital data inquiry

The National Data Guardian has given written evidence to the Science and Technology Committee's digital data inquiry.  It details the advantages of facilitating the collection and sharing of health data while underlining that trust is essential to the process.  It suggests the government's proposals on sharing health data made in in its strategy on data protection reform ("Data, a new Direction"), and the "Data Saves Lives" draft strategy, could lead to weaker rights for individuals.  Not only would this be an issue for individuals who may be less willing to share health data, but it could have a knock on effect on the EU-UK adequacy decision for data transfers.

News as at 24 March 2022

UK IDTA and Addendum now in force

The UK's International Data Transfer Agreement and Addendum to the EC Standard Contractual clauses came into force on 21 March 2022 without further changes.  UK organisations should begin using these for new transfers.  Contracts concluded on or before 21 September 2022 on the basis of the previous Standard Contractual Clauses will be treated as providing adequate safeguards for data exports until 21 March 2024, provided that the processing operations they cover remain unchanged. See here for more.

Google to phase out Universal Analytics in favour of Google Analytics 4

Google's most up to date analytics tool is Google Analytics 4 (GA4), launched two and a half years ago.  Google has announced it will begin phasing out the previous version, Universal Analytics next year.   All standard Universal Analytics will stop processing new hits on 1 July 2023.  The more recently introduced Universal Analytics 360 will cease hit processing on 1 October 2023.  

GA4 operates across platforms and does not rely exclusively on cookies.  It uses an event-based data model to delivery user-centric measurement.  Going forward, GA4 will no longer store IP addresses.  GA4 has always used anonymised IP addresses but Google says it no longer needs to log them, relying instead on data-driven attribution modelling and other upgrades including modular country settings.

Exports of Google Analytics data from the EEA to the USA have been under regulatory scrutiny since the Schrems II judgment and a number of SAs have found such exports to be unlawful.  Google will be hoping that these changes will address concerns.

Consultation begins on Data Act

The EC has issued a call for feedback on the draft Data Act.  It will summarise the responses which will then form part of the legislative debate on the proposed Regulation. The consultation closes on 11 May 2022.

EC call for evidence on new Cyber Resilience Act

The EC has issued a call for evidence for an impact assessment and public consultation on a new initiative (most likely a Regulation) on horizontal cybersecurity requirements for digital products and ancillary services (EU Cyber Resilience Act).  The initiative was announced by Ursula Von der Leyen in her 2021 State of the Union Address.  The Act will aim to make digital products and ancillary services more secure and ensure adequate cybersecurity is applied throughout a product's lifecycle, alongside provision of information.  

Various policy options are under consideration, from a largely self-regulatory approach, to full-scale legislation, to a hybrid approach.  The call closes on 25 May 2022 and the Commission expects to publish proposals in the third quarter of 2022.

EDPB 62nd Plenary Session

The EDPB has adopted the following at its 62nd Plenary Session:

• Guidelines on Article 60 GDPR – these support effective enforcement and cooperation between national supervisory authorities.  They are intended to help SAs interpret their local procedures in a way which conforms to their obligations under the one-stop-shop mechanism.
• Guidelines on dark patterns in social media platform interfaces – these provide practical recommendations to designers and users of social media platforms on how to assess and avoid 'dark patterns' in social media interfaces which infringe GDPR requirements.  The guidelines provide examples of dark pattern types and give best practice and specific recommendations for designers of user interfaces.
• Toolbox on essential data protection safeguards for enforcement cooperation between EEA and third country SAs – The toolbox can be used both for administrative arrangements developed within the EDPB by third country SAs and for international agreements negotiated by the EC.  It covers key topics such as data subject rights, the data protection principles and judicial redress.
• A joint EDPB/EDPS opinion on proposals to extend the Digital Covid Certificate – the opinion expresses concern that no impact assessment was carried out before the decision was taken to extend the current COVID certificate regulations.  While recognising that changes did not substantially alter the existing provisions, the EDPS also cautioned that measures need to be kept under constant review to ensure they are effective, necessary and proportionate, and in compliance with the GDPR.

ICO fines of £450,000 for targeting older and vulnerable people

The ICO has fined five companies a total of £450,000 for making over 750,000 unwanted marketing calls targeted at older and vulnerable people.  The ICO found that the companies, possibly working together or using the same marketing lists, were deliberately targeting older people by buying lists form third parties, specifically asking for information about people aged 60+, homeowners, and people who had landline numbers.

News as at 17 March 2022

ICO guidance on ransomware and data protection compliance

The ICO has added to its GDPR guide to cover ransomware and data protection compliance.  The guidance provides a compliance checklist and sets out eight common scenarios and situations experienced as a result of a ransomware attack, alongside compliance suggestions.  The guidance also points to other resources, notably NCSC guidance.

Ofcom consultation on security guidance and requirements for telecoms providers

Ofcom is consulting on updating its guidance for telecoms operators on complying with security requirements under the Telecommunications (Security) Act 2021, which amends ss105A-D of the Communications Act 2003.  The guidance is likely to be superseded by a Code of Practice which is also the subject of consultation along with draft secondary legislation which will set out what telecoms providers need to do to comply with security requirements. The consultation closes on 17 May 2022.

TikTok representative action moves ahead in part

SMO, a minor, acting through her litigation friend the former Children's Commissioner for England, is looking to bring a claim against six defendants from the ByteDance Group which owns TikTok, arguing that six group entities breached relevant data protection and privacy law.  The second defendant is a UK company which owns the third defendant, an Irish company.  The other defendants are located in the Cayman Islands, China and the USA.  The claimant is seeking to bring a representative claim under CPR 19.6 (the same route chosen by Mr Lloyd in his case against Google which failed).  She required permission to serve claims outside the jurisdiction against some of the defendants.  Service must take place within six months of the claim being issued.

The proceedings in this case were stayed pending the outcome of Lloyd v Google.  However, the claimant did not proceed in a timely manner and made last minute applications to extend time limits and to serve the claim against the Chinese entity on its London solicitors. The judge did not agree on either of these points.

The main interest though is in the judge's consideration of whether the claims related to a serious issue to be tried on the merits (a requirement for serving out).  The issue was whether there was a realistic prospect of success given the outcome of Lloyd v Google.  Nicklin J said that, having heard only the claimant's arguments, there is a serious issue to be tried and granted permission to serve out (albeit within the un-extended time limits).

The next step will be an application for summary judgment by the UK-based defendant.  The represented class in the claim is all those who are, or were, account holders and users of TikTok from 25 May 2018, and were resident in the UK or EEA (with the exception of the Netherlands as there are separate proceedings there), and who were under the relevant age (either 13 or 16 depending on the relevant country and applicable legislation).  

One of the problems with Mr Lloyd's representative action was that not everyone in the represented class had the same interest because they had different amounts of data processed unlawfully meaning they had suffered different levels of damage and any award would have to be individually assessed.  The Supreme Court also said each individual in a representative claim had to establish damage had been suffered as a result of a contravention.  In Lloyd v Google, the individuals could not demonstrably be shown to have suffered the same level of damage and could not claim damages on a representative basis.  It will be interesting to see whether SMO's claim against the UK defendant fails on the same grounds at the hearing of the application for summary judgment.

Separately, TikTok is also under scrutiny in the USA after eight States announced their Attorney Generals would lead a Nationwide investigation into the impact of TikTok on children, teens and adults.

Belgian regulator warns against erosion of independence

The Belgian data protection regulator (APD) has published an Opinion warning that a draft Bill intended to strengthen the APD, risks making it less independent.  In particular, it is concerned that guarantees of independence will be eroded and that the Belgian Parliament will have a greater level of control than that authorised under EU and Belgian law.  The APD is also worried about a lack of funding and weakening of legal procedures.  

It will be interesting to see whether the EDPS or even the EC will get involved in this, not least because it may shed some light on how the EU might view some of the UK government's proposals in its consultation on the reform of UK data protection law.  The UK government is looking at introducing greater oversight of the ICO, including through a government-appointed CEO, and requiring the ICO to consider the government's national and international priorities.   In her response to the consultation, the then ICO, Elizabeth Denham, said "there are specific proposals where I have strong concerns because of their risk to regulatory independence".

Danish DPA issues guidance on the use of cloud services

The Danish DPA has published guidance on the use of cloud services aimed at data controllers.  UK businesses may find it useful as the ICO's pre-GDPR 2015 guidance on the subject has not yet been updated.  It covers issues for controllers using cloud services and how to assess and monitor processors.  It also looks at the issue of data exports to third countries and, in particular, the US.

Clearview AI fined by Italian regulator

The Italian DPA has fined Clearview AI €20 million for data protection breaches relating to its facial recognition technology. This follows the UK ICO's November 2021 intention to fine it over £17 million in a joint investigation with the Australian Information Commissioner.  Clearview AI's facial recognition system uses over 10 billion images scraped from the internet.  Regulators have found Clearview AI in breach of numerous GDPR requirements including that it failed to carry out fair and lawful processing, did not have a lawful basis for collecting information, did not have suitable transparency and data retention policies, failed to give required information to individuals, did not satisfy processing conditions for special data, and did not give effect to data subject rights.

Separately, according to Clearview, more than 2bn of its images are from the Russian social media network Vkontakte. Clearview has reportedly offered Ukraine its services for free to help them identify Russian "infiltrators", identify the dead, fight misinformation and reunite families who do not have paperwork.  According to unconfirmed reports, Ukraine began using the technology at the weekend.

Meta fined €17 million by Irish DPC

The Irish Data Protection Commissioner, acting as lead regulator, has fined Meta €17 million in relation to a series of data breaches which took place between June and December 2018.  Specifically, the DPC found that Meta had breached the Article 5(2) accountability requirement, and the Article 24 requirement to maintain appropriate technical and organisational measures.  It was not able to readily demonstrate the security measures it had implemented in practice to protect user data in the context of the 12 identified breaches.  The Irish DPC's decision was subject to the Article 60 decision making process as it related to cross-border processing.

News as at 10 March 2022

NOYB continues to target cookie banners

Privacy campaign group NOYB has sent 270 draft complaints to website operators it believes are not complying with GDPR requirements in their cookie banners.  It has included suggestions about how to make the banners compliant and says it will only file the complaints against operators who do not make changes within 60 days.  This is the second wave of action NOYB has launched on cookie banners and it says it will extend its focus to pages using consent management platforms other than OneTrust, including TrustArc, Cookiebot, Usercentrics and Quantcast, hoping to review up to 10,000 websites.

Guidance for manufacturers of Video Surveillance Systems

The Biometrics and Surveillance Camera Commissioner has published guidance on security by design and default for manufacturers of Video Surveillance Systems (VSSs) or those manufacturing or assembling components to be used in VSSs.  The guidance sets out minimum requirements to ensure systems are designed and manufactured in accordance with security principles of design and default.  It forms part of a wider suite of documents being developed as part of the Surveillance Camera Commissioner Strategy in support of the SCC Code of Practice.

ICO reprimands Scottish government over COVID Status app

The ICO has issued a reprimand to the Scottish Government and NHS National Services Scotland for GDPR failings in relation to sensitive health data used by the NHS Scotland COVID Status app.

The ICO raised a number of concerns about the app at the development stage and while some were resolved, the app went live without addressing some of the ICO's wider issues.  In particular, the ICO says:

• there was an initial failure to provide adequate privacy information within the app at launch to explain what data was being used for
• for a short period after launch, users were invited to give their consent to the use of their data, however, the processing was not predicated on consent but on performance of a public task. The suggestion to users that the relevant lawful basis was consent led them to get the impression that they had a greater level of control over use of their data than was the case.  Failure to remove the misleading consent statement breached the principle that data be processed fairly, lawfully and in a transparent manner
• there was a failure to provide information in line with Article 12 requirements that information be concise, transparent, intelligible, in easily accessible form and in clear and plain language
• the ICO could not initially identify an Article 13-compliant privacy policy within or linked to from the app.  The day after launch, the ICO was pointed to a link on the NHS Inform website but the ICO said this was not easily accessible
• the privacy notice was found to be complex, unnecessarily long and difficult to navigate
• the notice contained easily misunderstood statements about the sharing of data with large tech companies.

The ICO noted that the privacy notice had been redrafted a few times since launch but said that this had not addressed the issues.  The ICO now requires the privacy notice to be re-drafted in order to present the information required by Article 13 in a manner which complies with Article 12.  It will consider issuing an Enforcement Notice if this does not happen within 30 days of 28 February.

ICO publishes call for views on accountability and governance

The ICO has published a call for views on Chapter four of its draft guidance on anonymisation, pseudonymisation and privacy enhancing technologies.  The latest chapter focuses on accountability and governance.  It deals with responsibility for the anonymisation process, how to do DPIAs, ensuring transparency, risk mitigation and staff training, among other issues.  The call closes on 16 September 2022.

EDPB adopts final version of Guidelines on Codes of Conduct as a tool for transfers

The EDPB has adopted the final version of its Guidelines on Codes of Conduct as a tool for transfers.  The guidance provides a clarification of the application of Articles 40(3) and 46(2)(e) of the EU GDPR.  It also covers the use of an Article 40 Code of Conduct as a mechanism to protect data transfers to third countries.

Delay to revised Swiss data protection law

The revised Swiss Federal Act on Data Protection was due to come into force early this year. It has now been postponed to 1 September 2023 (subject to a confirmatory decision by the Federal Council).  The revised Act was heavily criticised in some quarters for not meeting GDPR standards and, while the reason for the delay has not been made public, it is expected that further revisions may come as a result of responses to a June 2021 consultation.

US Senate passes major draft cybersecurity legislation

The US Senate has passed the Strengthening American Cybersecurity Act, a package of bills intended to enhance US cybersecurity.  The draft legislation is targeted at companies which provide critical infrastructure including energy and healthcare. If passed in its current form, these companies would be subject to 72 hour breach reporting requirements and mandatory disclosure of ransomware payments.

The package now moves to the House of Representatives for consideration.  US Department of Justice officials are reportedly unhappy that the predominant reporting requirement is to the Department of Homeland Security's Cybersecurity and Infrastructure Agency although there are provisions to require the Agency to share reports more widely with other relevant agencies such as the FBI.

News as at 3 March 2022

Data Act published by EC

The EC has published its draft Data Act. The draft Data Act (which takes the form of a Regulation) clarifies who can create value from data (personal and non-personal) and under what conditions.  It is the second major legislative initiative of the European Strategy for Data and follows on from the Data Governance Act which creates the processes and structures to facilitate data sharing.

The Act is intended to unlock industrial data by giving business users access to data they contribute to creating, and giving individuals more control over all their data, not just personal data.  This is focused particularly on data created using connected devices and related services, for example voice assistants.  It is partially aimed at largescale manufacturers and service providers of IoT products who are likely to lose their data advantage to a degree.  Third party business users will not be able to use obtained data to develop directly competing products, but they will be able to use it to create other products and services.

Proposals include:

• giving users of connected devices access to data they generate and the ability to share it with third parties to provide aftermarket or other data-driven innovative services
• measures to rebalance negotiation power for SMEs by preventing abuse of contractual imbalances in data sharing contracts. There will be protection from unfair contractual terms and the Commission also plans to develop model contractual terms to help companies draft and negotiate fair data-sharing contracts
• provisions for access to private sector data by public sector bodies where necessary for exceptional circumstances, such as public emergency (not routine law enforcement)
• facilitation of switching between cloud and edge service providers through data and cloud interoperability rules
• establishing protection for non-personal data against unlawful data transfer and access by non-EU governments
• clarification that IoT databases should not be subject to additional legal protection (under the Database Directive), thereby allowing data generated by IoT devices to be more easily used.
• clarification that IoT databases should not be subject to additional legal protection (under the Database Directive), thereby allowing data generated by IoT devices to be more easily used.

The proposal is intended to be consistent with the GDPR, the ePrivacy Directive, the Free Flow of Non-Personal Data Regulation and the Unfair Contract Terms Directive.  "Data" is defined as "any digital representation of acts, facts or information and any compilation of such facts or information, including in the form of sound, visual or audio-visual recording".  It therefore covers personal and non-personal data although some provisions in the Act (such as those around international access and transfer) apply only to non-personal data.

Other key definitions

• "user" is any natural or legal person that owns, rents, or leases a product or receives services.
• "data holder" means a legal or natural person who has the right or obligation, in accordance with this Regulation, applicable Union law or national legislation implementing Union law, or in the case of non-personal data and through control of the technical design of the product and related services, the ability, to make available certain data.
• "data recipient" means a legal or natural person, acting for purposes which are related to that person’s trade, business, craft or profession, other than the user of a product or related service, to whom the data holder makes data available, including a third party following a request by the user to the data holder or in accordance with a legal obligation under Union law or national legislation implementing Union law.
• "product" means a tangible, movable item, including where incorporated in an immovable item, that obtains, generates or collects, data concerning its use or 72 Regulation (EU) 2021/784 of the European Parliament and of the Council of 29 April 2021 on addressing the dissemination of terrorist content online (OJ L 172, 17.5.2021, p. 79). EN 39 EN environment, and that is able to communicate data via a publicly available electronic communications service and whose primary function is not the storing and processing of data.
• "related service" means a digital service, including software, which is incorporated in or inter-connected with a product in such a way that its absence would prevent the product from performing one of its functions.
• "data processing service" means a digital service other than an online content service as defined in Article 2(5) of Regulation (EU) 2017/1128, provided to a customer, which enables on-demand administration and broad remote access to a scalable and elastic pool of shareable computing resources of a centralised, distributed or highly distributed nature.

B2B and B2C data sharing

Manufacturers and designers must design products and related services in such a way that by default and design, businesses and individuals involved in generating data through them are able to access, use and share their data free of charge.  Data must also be made available to third parties by data holders at the request of the user (except by micro and small enterprises).    These provisions do not prevent the manufacturer from accessing and using data from their products or related services where agreed with the user.  
Data made available cannot be used to develop competing products and trade secrets are given protection.  Users and third parties may not share data with organisations designated as gatekeepers under the Digital Markets Act.  Third parties receiving data may only process it as agreed with the user (and in accordance with the GDPR where the data includes personal data).

Obligations for data holders legally obliged to make data available

Where a data holder is required to make data available, it must do so on fair and reasonable terms and in a transparent manner.  Any compensation to a data holder for making data available to a data recipient must be fair and non-discriminatory.  

Fairness of contractual terms

Contractual terms unilaterally imposed by one party on a micro, small or medium sized business must be fair, reasonable and non-discriminatory.  Unfair terms are defined in general terms but the Act also sets out a list of clauses which will always be or will be presumed to be unfair.  The burden of demonstrating that terms are non-discriminatory is on the data holder.

Access to data by public sector bodies and agencies

Provisions are made for public bodies and agencies to be able to access private sector data where there is an exceptional need for it.  For example, where the data is necessary to respond to public health emergencies or major natural or human-induced disasters, the data would be made available for free.  Where made available in other cases of exceptional need, for example to prevent or recover from a public emergency, there are provisions to allow compensation for data holders.  Rules are introduced to provide oversight and ensure the access right is not abused.

Switching and interoperability

Data processing services must ensure their customers can switch to an equivalent service by another provider and may not create obstacles, including by having termination periods longer than 30 days, restricting porting of data, or preventing users from entering into new contracts with other providers.  Contractual terms must allow for switching and include assistance and service continuity provisions during the transition period which must not be more than 30 days subject to technical unfeasibility.  There is also provision for a gradual withdrawal of switching charges.  Specific technical standards or interfaces are not mandated but services must be compatible with European standards or interoperability technical specifications where available.

Safeguards for international transfers of non-personal data

Providers of data processing services are required to take all reasonable technical, legal and organisational measures, including contractual arrangements, to prevent international transfers or governmental access to non-personal data held in the EU where such transfer or access would create a conflict with EU or Member State law.  This is subject to exceptions for legal data access requests under international agreements.

Interoperability

Operators of data spaces and data processing service providers must comply with requirements to facilitate interoperability of data, data sharing mechanisms and services.  These can be generic or sector-specific and the Commission may adopt further specifications and requirements but the immediate focus is on cloud service providers and ensuring portability.  There are also requirements regarding essential requirements for smart contracts.

Implementation and enforcement

Member States must designate supervisory authorities which will have powers to sanction non-compliance in line with GDPR-level fines for certain breaches.

The legislation now begins the path to approval and is expected to come into effect 12 months after coming into force.  See our article for more.

‍

CMA blog post on Google's Privacy Sandbox

The CMA has published a blog on its decision to accept binding commitments on Google's proposals to replace third party cookies on its Chrome browser with a range of Privacy Sandbox tools.  The CMA notes that Google plans to roll out a similar set of changes to app advertising within the Android ecosystem and that it will apply the same commitments on a voluntary basis.  The CMA is looking for engagement with and input from other market players to help it inform its approach to monitoring and testing Google's proposals.

News as at 24 February 2022

A ban on Meta data transfers from Ireland to the USA moves a step closer

The Irish Times has reported that Irish Data Protection Commissioner has issued a preliminary draft decision suspending data transfers by Facebook's Meta from Ireland to the USA.  Meta reportedly has 28 days to make submissions after which the Irish DPC will prepare a draft Article 60 decision for consideration by other concerned Supervisory Authorities.  This is likely to happen in April.  The substance of the decision has not yet been made public.

This is the latest twist in the Schrems complaint and, if suspension of transfers to the US is ordered, there could be wide reaching implications for all data transfers to the USA and, potentially, to other third countries.

ICO consultation on guidance on processing for research

The ICO has published draft guidance on the research provisions within the UK GDPR and DPA 18.  This is intended to highlight where in the legislation the various provisions relating to research are found, how they fit together, and their practical effect.  It is intended to provide more detail and clarity to help organisations understand when they can rely on research provisions.  It covers areas including:

• what constitutes research-related processing
• appropriate safeguards under Article 89 UK GDPR and s19 DPA 18
• compliance with the data protection principles and requirements around processing special category data
• when and how exemptions might apply to research-related processing.

As the ICO notes, the government is currently consulting on reforming research provisions as part of its review of the UK GDPR. The ICO believes guidance on the current regime is, however, required now in order to support stakeholders and it addresses many of the issues raised by the government.  It is consulting on the draft guidance until 22 April 2022.

ABPI consultation on draft principles for use of health data

The Association of the British Pharmaceutical Industry (ABPI) is consulting on draft governance principles for the use of health data by the pharmaceutical industry.  The principles are intended to help increase transparency around the use of health data by pharmaceutical industry researchers and cover:

• transparency of purpose – industry will be clear and open about what company researchers aim to do with health data, how it will be analysed, the expected benefits and how risk will be managed
• clarity of arrangements – contractual arrangements with data custodians will be designed to return 'fair value'
• patient and public involvement and engagement – this will be embedded in the design and approval of health data products, whether within organisations or when projects are reviewed by data custodians
• non-exclusivity of arrangements – benefits will be applied across the UK health service for the benefit of all appropriate patients, supporting the principle that any dataset be available for analysis by any bona fide researchers at any time
• compliance with prevailing laws and regulations – all projects and arrangements will adhere to national level legal, regulatory, privacy and security obligations.

IAB Technology Laboratory unveils 2022 priorities

IAB TechLab (which focuses on developing technology and standards for the digital media ecosystem and is related to IAB Europe), has set out its 2022 product roadmap and working groups.  It will focus on:

• creating technical standards, frameworks and open-source initiatives across a portfolio of addressability solutions
• developing the technical standards needed to accelerate the ongoing growth of connected TV supporting audience measurement
• advancing technical standards to combat ad fraud and support supply chain transparency and security.

Among the working groups planned is one on PETs.  Developers working on advanced cryptography, data scientists, privacy and security systems engineers, as well as others in the digital advertising community, are invited to help develop privacy enhancing standards and software tools for the digital advertising industry.

EDPB first coordinated enforcement action

The EDPB has begun its first coordinated enforcement action which will investigate the use of cloud-based services by public authorities.  This follows the creation of a Coordinated Enforcement Framework (CEF) in October 2020.  The action will involve 22 DPAs and the EDPB looking at over 80 public bodies.  

The CEF will be implemented at national level in one or more of the following ways: fact finding to identify whether a formal investigation is warranted; formal investigation; and follow up of ongoing formal investigations.  SAs will focus on public bodies' challenges with GDPR compliance when using cloud services, including regarding international transfers, and the controller processor relationship.

Results will be analysed in a coordinated manner and the EDPB will publish a report by the end of 2022.

CNIL enforcement priorities for 2022

The CNIL has set out its enforcement priorities in 2022:

• Direct marketing – the CNIL will look at industry compliance, in particular among data brokers.
• Monitoring tools for teleworking – the CNIL will look at employer compliance.
• Cloud – the CNIL will focus on data transfers outside the EU, and the contractual relationship between controllers and cloud service providers.  This will be as a part of the EU-wide, EDPB headed coordinated enforcement action.

Google publishes update on Privacy Sandbox

Google has published a blog on its updated approach to the Privacy Sandbox.  It announced a multi-year initiative to build the Privacy Sandbox on Android to introduce more private advertising solutions.  These will limit sharing of user data with third parties and operate without cross-app identifiers, including advertising ID.  Google is also exploring ways to reduce the potential for covert data collection, including safer ways for apps to be integrated with advertising SDKs.

Developers can review initial design proposals and share feedback on the Android developer site. A beta version will be released by the end of the year.

The announcement follows Google's commitments to the CMA about the development of its Privacy Sandbox.

Oman approves new data protection law

Oman has approved its Law on the Protection of Personal Data which takes effect in February 2023.  The law, which provides a range of data subject rights, is heavily focused on consent and is also subject to a wide range of exceptions.  It will be enforced by the Ministry of Transport, Communications and Information Technology which will draw up further regulations.

EDPS calls for ban on Pegasus-type spyware in the EU

The EDPS has published preliminary remarks on Modern Spyware, recommending a ban on the development and deployment of Pegasus-type spyware in order to protect fundamental rights and freedoms.  The EDPS says it is unlikely that Pegasus could be used lawfully in the EU but recognises there may be exceptional circumstances, including serious imminent threat, that might justify using this type of spyware subject to robust oversight.

California plans to protect children's privacy online

California legislators are proposing a new law to protect children's privacy online.  It is heavily based on the ICO's Children's Code with a focus on privacy by design.  As drafted, the law would require companies based in California (including Meta and Google) to limit the amount of data they collect from children.  It would also limit location tracking and profiling for targeted advertising, ban behavioural nudges, and require age-appropriate content policies.

News as at 17 February 2022

CNIL latest regulator to find Google Analytics transfers unlawful

The French data protection authority, the CNIL, has found that an unnamed French website manager's use of Google Analytics breaches the GDPR as it results in the unlawful transfer of personal data to the USA.  The CNIL found that the personal data transferred to the USA by Google Analytics was not adequately protected from potential access by US intelligence agencies.  This was notwithstanding the additional protective measures put in place by Google.  As a result, the CNIL ordered the controller to bring its processing into GDPR compliance within one month, if necessary by ceasing to use Google Analytics (under the current conditions) or by using a tool which does not involve a transfer outside the EU.

The CNIL noted that its decision is in response to one of the 101 complaints filed by NOYB in the EU relating to the use of Google Analytics, and that it was reached in cooperation with EU DPAs.  The decision mirrors an earlier one by the Austrian DPA and follows warnings made by the Netherlands regulator.  

The CNIL said that analytics tools for website and audience measurement and analysis services should only be used to produce anonymous statistical data which would therefore allow for an exemption from consent requirements if the controller ensures there are no illegal transfers.  It has launched an evaluation programme to determine which solutions are exempt from consent.  The CNIL also makes it clear that it is not just Google Analytics in the frame but that it, and its EU counterparts, are investigating other similar tools which also result in the transfer of personal data to the USA.

With other EU regulators likely to follow the general direction of travel, it may become difficult to use analytics tools which transfer personal data to the US, although controllers should still be able to use them to collect non-personal analytics.  

The wider implications of these decisions are more far reaching. They cast doubt over whether there are any realistically achievable additional measures sufficient to protect personal data transferred to the US from the EU.  Google says its supplementary measures intended to give effect to the Schrems II rulings include anonymising IP addresses before data leaves the EU, using data encryption, and employing technical measures to prevent in-transit interception.  These are all measures included in EDPB Guidance as ways to reduce risk attaching to US data transfers and yet regulators are finding that they do not adequately protect the data.  

Given that the personal data being transferred by analytics tools is not particularly sensitive, one might imagine the risk to individuals regarding access by intelligence authorities is relatively low.  So how much more stringent do protections need to be for more sensitive data being transferred to the US?  All eyes are now looking out for the rumoured Privacy Shield 2.0.

To hear more on these issues and to catch up with other developments on data transfers, join our webinar on 22 February.

IAB Europe appeals APD ruling against TCF

As expected IAB Europe has announced it is appealing the decision of the Belgian data protection authority, that it breached the GDPR in relation to its Transparency and Consent Framework (TCF).  IAB Europe has described the APD's decision that it was a data controller in respect of the TC String used in the TCF as "wrong as a matter of law".  It now says "We believe the controversial ruling that IAB Europe is a data controller for information processed for TCF purposes is based on a misunderstanding of the facts and a misapplication of the law.  This establishes an irrational legal precedent.  It will have the perverse effect of discouraging other standard-setting organisations from investing in instruments that aim to protect users and facilitate the exercise of their rights under GDPR".  

IAB asks other EU DPAs to confirm they will hold off taking measures against IAB Europe or any TCF participants, pending the outcome of the appeal.  It also suggests advocacy organisations calling on advertisers to stop using the TCF and OpenRTB, are reaching "unfounded" conclusions because no advertisers are named parties in the Belgian ruling, and because the APD has not ordered IAB Europe to discontinue the use of TCF while it submits a plan to address APD concerns.

IAB Europe says it will continue to work with the APD towards approval of the TCF as a trans-national GDPR Code of Conduct.

‍

CMA accepts Google's commitments regarding its Privacy Sandbox

The CMA has announced its acceptance of Google's final commitments to address competition and privacy concerns over Google's planned replacement of third party cookies on its Chrome browser with a range of 'Privacy Sandbox' tools.

The CMA has been working closely with the ICO to analyse and address potential risks associated with Google's proposals.  In particular, the CMA was concerned that they would:

• Distort competition in the market for supply of ad inventory and adtech services in the UK by restricting the functionality associated with user tracking for third parties while retaining it for Google
• Allow Google to prioritise its own ad inventory and adtech services and affect digital advertising market outcomes in ways which could not be scrutinised by third parties
• Allow Google to exploit its apparent dominant position by denying Chrome users substantial choice in terms of whether and how their personal data is used for targeting purposes and delivering ads.

The CMA has now accepted final commitments from Google (following two consultations on proposals) which include:

• Google will involve the CMA and the ICO in the development and testing of Privacy Sandbox proposals.
• There will be a more transparent process around development of the tools including engagement with third parties and the publication of test results, with the option for the CMA to require Google to address any issues raised as a result.
• TPCs will not be removed until the CMA is satisfied its competition concerns have been addressed.  The CMA reserves the right to take further action if this is not the case.
• Google will restrict the sharing of data within its ecosystem to ensure it does not gain an advantage over competitors when TPCs are removed, and will commit to not self-preferencing its own advertising services.
• Google agrees to the appointment of a monitoring trustee to oversee its compliance with its commitments.

The commitments are made for six years.  The ICO has welcomed the outcome.

News as at 10 February 2022

IAB Europe fined EUR 250k by Belgian DPA for TCF failings

The Belgian Data Protection Authority (the APD) has fined IAB Europe EUR 250 for GDPR failings of its Transparency and Consent Framework (TCF).  The TCF was designed to help the real time biding adtech ecosystem comply with the GDPR, and, in particular, to address some of the difficulties in being transparent and obtaining valid consent. It is widely used by the adtech industry.

The APD found that IAB Europe is a data controller with respect to the registration of user consents, objections and preferences by means of a unique Transparency and Consent (TC) String which is linked to an identifiable user.  It is therefore responsible for the following GDPR failings:

• Lawfulness of processing – IAB Europe fails to establish a lawful basis for processing the TC String and the lawful bases for subsequent processing by adtech vendors are subsequently inadequate.
• Transparency and provision of information – the information provided to users is too vague and generic to allow them to understand the complex data journey which makes it difficult for them to maintain control over their data.
• Accountability, security and data protection by design and default – there is a lack of organisational and technical measures in line with the principle of data protection by design and default.  This is particularly in relation to ensuring effective exercise of data subject rights and monitoring user choices.  As a result, GDPR compliance is not adequately demonstrated.
• Controller obligations – in its role as controller, IAB Europe has failed to conduct a DPIA, appoint a DPO and keep a register of its processing activities.

The APD fined IAB Europe EUR 250,000 and gave it two months to present an action plan for taking corrective measures which must be completed within six months.  These must include:

• establishing a legal basis for the processing and sharing of user preferences in the context of the TCF, in the form of a TC String and cookie
• permanently deleting personal data already processed in the TCF system on the basis of globally scoped consents no longer supported by IAB Europe
• prohibiting reliance on the legitimate interests lawful basis by organisations participating in TCF in its current format.

Responding to the decision, IAB Europe rejected the APD's finding that it is a data controller in the context of the TCF, saying it was wrong "as a matter of law" and hinting strongly at an appeal.  On a more positive note,  it also hailed the decision as paving the way for the TCF to become a formal GDPR Code of Conduct.  This was because the APD provided for issues to be remedied within six months.  

Some of these issues are fairly easy for IAB Europe to fix – for example, appointing a DPO.  Others go to the heart of GDPR compliance for the adtech sector by making it very difficult to establish a suitable lawful basis for processing.   Capturing granular consent is notoriously difficult in the world of real-time bidding which is one of the reasons the TCF was developed in the first place.  

IAB Europe said it would work with the APD towards getting the TCF to a point where it can be submitted for approval as a trans-national Code of Conduct.  The question is whether it will be able to do that and what it means for the industry as a whole if it can't.

ICO call for views on anonymisation, pseudonymisation and PETs guidance

The ICO is calling for views on its updated draft guidance on anonymisation, pseudonymisation and privacy enhancing technologies.  This is being published in sections with the most recent focusing on pseudonymisation.  Chapters introducing anonymisation and on identifiability were published last year.  Further chapters covering research, PETs, data sharing and accountability (among other topics) are set to follow.

The latest chapter sets out key differences between anonymisation and pseudonymisation, guidance on pseudonymisation and on the DPA 18 re-identification offence.  

The consultation on the guidance is open until September 2022.  A consultation on the full draft will take place in the autumn.

ICO consults health sector on shaping PETs

The ICO is inviting health sector organisations to participate in workshops on Privacy Enhancing Technologies.  The ICO wants to set out how PETs can facilitate safe, legal and valuable data sharing in health and understand what is needed to help organisations use them.  Adoption is currently low and workshop attendance is particularly encouraged for health organisations and healthtech startups, both those using PETs and those not using them, as well as academic and legal experts, and suppliers of PETs.  The workshops are part of a BEIS-funded project, 'PETs for Public Good'.

ICO conducts listening exercise

The ICO has announced a major listening exercise to hear from businesses, organisations and individuals about their experiences of engaging with the ICO.  This will involve the ICO conducting a survey and hosting events for a variety of stakeholders.  The survey opened on 28 January and will close on 1 May 2022.

EC expected to present Data Act on 23 February

The EC is expected to present its new Data Act on 23 February.  The Act will cover non-personal data and apply to the manufacturers of connected products, digital service providers and users in the EU.  The Act will focus on giving individuals and organisations access to the data they contribute to generating.  It will place restrictions on the use of third party data by organisations designated as gatekeepers under the Digital Markets Act, and prevent unfair contractual terms and the use of dark patterns to manipulate user choices.  The Act is also expected to contain mandatory switching and interoperability provisions for cloud service providers.

EDPB's first opinion on national certification scheme

The EDPB has adopted its first opinion on certification criteria in response to the GDPR-CARPA scheme submitted by the Luxembourg DPA.  Certification schemes are intended to help controllers and processors demonstrate GDPR compliance and give them greater visibility and credibility.  The EDPB's role is to ensure consistency of certification criteria across the EU.  It has asked for a number of changes to the proposed scheme, mostly requiring it to be more specific and add clarity.  Once adopted by the Luxembourg DPA, it will be added to the register of certification mechanisms and data protection seals under Article 42 GDPR.

News as at 3 February 2022

New UK international data transfer agreement laid before Parliament

The ICO has laid the UK's new international data transfer agreement (IDTA), the international data transfer addendum to the EC's standard contractual clauses (Addendum) and a document setting out transitional provisions before Parliament.  Providing no objections are raised, they will come into force on 21 March 2022. The IDTA and Addendum will replace the current UK SCCs for international transfers and take the Schrems II decision into account. 

Under Paragraph 7, Part 3, Schedule 21 of the Data Protection Act 2018, transitional provisions allowed SCCs issued under the Data Protection Directive to be used as an appropriate safeguard for international data transfers. The ICO refers to these as Transitional Standard Clauses (TSCCs)

Provisions laid out for the transition to the new IDTA are as follows:

• Contracts concluded on or before 21 September 2021 (we think this could be a typo and it is more likely 21 September 2022) on the basis of the TSCCs shall continue to be treated as providing adequate safeguards for the purpose of Article 46(1) UK GDPR until 21 March 2024, provided that the processing operations that are the subject matter of the contract remain unchanged, and reliance on those clauses ensures that the transfer of personal data is subject to appropriate safeguards.
  
  

  The ICO says the IDTA and Addendum are "immediately of use to organisations transferring personal data outside of the UK, subject to the caveat that they come into force on 21 March 2022 and are awaiting Parliamentary approval".

The ICO is developing additional tools to provide support and guidance which will be published soon. These will cover:

• clause by clause guidance to the IDTA and Addendum
• guidance on how to use the IDTA
• guidance on Transfer Risk Assessments
• further clarifications on international transfers guidance.

IDTA

This consists of:

• tables – can be completed largely through tick boxes
• extra protection clauses
• commercial clauses
• mandatory clauses to which only limited changes can be made, for example, to deal with the parties, update cross-referencing, and remove sections expressly stated not to apply to the selections made by the parties in parts of Table 2.

Addendum

The Addendum is designed to be appended to the EU SCCs but states that in the event of any conflict between the Addendum and UK data protection law, UK data protection law will prevail.  Despite wording to the contrary in the EU SCCs, the Addendum sets out the following hierarchy with some slightly confusing definitions:

Addendum – the International Data Transfer Addendum which is made up of the Addendum incorporating the Addendum EU SCCs

Addendum EU SCCs – the version of the Approved EU SCCs which the Addendum is appended to, as set out in Table 2 including the Appendix information

Approved Addendum – the template Addendum issued by the ICO and laid before Parliament on 28 January 2022, as it is revised undersection 18 DPA 18.

• In the event of any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs, the Approved Addendum will prevail unless the inconsistent or conflicting terms of the Addendum EU SCCs afford greater protection for data subjects.
• Where the Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the EU GDPR, the parties acknowledge nothing in the Addendum impacts the Addendum EU SCCs.

The Addendum incorporates the EU SCCs subject to changes to take account of governing law, jurisdiction and to make them work in the UK.

Google Analytics under continuing scrutiny 

Following the decision by the Austrian data protection regulator that the use of Google Analytics breaches rules on data exports, other regulators have added their comments.  The Norwegian DPA investigating two complaints, announced it would join Austria's decision but also commented that other web tools send far more personal data to the US than Google Analytics does. The Guernsey DPA said it was removing Google Analytics from its website.  On the one hand this represents implicit agreement with the Austrian DPA but it also backs up Google's point that controllers have responsibility for the way in they use Google Analytics.

There are reported to be close to 100 complaints about Google Analytics across the EU and the EDPB has set up a working group to look at the issue. In the meantime, it is likely that both Google and the Austrian controller in question will appeal the Austrian decision. It also remains to be seen whether the Austrian regulator goes on to issue a binding decision or impose sanctions.

Controllers who are responsible for their use of Google Analytics (and any similar tools) should, at this stage, make considered use of the privacy options available pending any EU-level decision.

DCMS appoints International Data Transfer Expert Council

DCMS has announced a 20-member International Data Transfer Expert Council. The Council is made up of data privacy experts from a variety of key organisations (including Google, Mastercard and Microsoft), industry sectors, legal practice and academia.  The role of the Council is to provide independent advice to the government to help it unlock the benefits of secure cross-border data flows following Brexit. This will include advising on revised data transfer tools and new data adequacy arrangements.

ENISA report on Data Protection Engineering

ENISA has published a report looking at data protection engineering to help organisations with data protection by design and default. The report focuses on anonymisation, pseudonymisation, data masking and privacy-preserving computations, access, communications and storage and transparency. It focuses on technical aspects, looking at the benefits of particular tools and techniques to meet GDPR security requirements. It also makes recommendations to regulators on actions to promote good practice and provide guidance.

Regulations made to amend DPA 18 immigration exemption 

The Data Protection 2018 (Amendment Schedule 2 Exemptions) Regulations 2022, which amend the immigration exemption have been made. The exemption in the DPA 18 was declared unlawful by the Court of Appeal and the government was given until the end of January 2022 to make the required amendments. Privacy campaigners dispute whether the amendments resolve the issue of incompatibility with the UK GDPR.

News as at 27 January 2022

EDPB draft guidelines on the right of access

The EDPB has adopted draft guidelines on the right of access. These are subject to a six week consultation period although they had not been published at the time of writing. The guidelines analyse the right of access and provide guidance on its implementation in a variety of specific situations.  They also look at the scope of the right, the information the controller has to provide to the data subject, the format of requests, how to provide access, and at what constitutes "manifestly unfounded or excessive requests".  The guidance will not apply under the UK GDPR but controllers may find it useful to read it in addition to ICO guidance on the issue.

CJEU says inbox advertising covered by ePrivacy Directive 

The CJEU has ruled on a reference from Germany which asked whether restrictions on sending unsolicited direct marketing communications under Article 13 of the ePrivacy Directive apply to advertising messages that appear in email inboxes and look like normal emails. The practice is referred to as inbox advertising.

The advertising in this case was in a free email service funded by paid-for advertising.  Users were also able to select a paid-for ad-free version of the service as an alternative.  The adverts were sent at random and the content was not targeted.  They were visually indistinguishable from other emails except for the fact that the date was replaced by the word 'Anzeige' (advert).  No sender was mentioned and the text appeared against a grey background.  The subject section contained text promoting price offers for electricity and gas.

The CJEU was asked to decide whether and under what conditions, the placement of advertising messages in an inbox of a free email service funded by paid-for advertising may be regarded as compatible with the ePrivacy Directive and the Unfair Commercial Practices Directive.

The court held that:

• the objective of the ePrivacy Directive is to protect subscribers from intrusion by unsolicited direct marketing communications and should be ensured regardless of technologies used
• the use of electronic mail in the proceedings is likely to breach the objective of protecting users from such communications
• the very nature of the advertising messages at issue and the fact they are distributed as email allows them to be classified as direct marketing communications.  The fact the recipient is chosen at random is irrelevant.  What matters is that there is a communication for a commercial purpose which reaches, directly and individually, one or more email user
• while the display of the advertising messages in the user's list of private emails impedes access to those emails in a manner similar to that used for spam, the ePrivacy Directive does not impose a requirement for the burden on the user to be found to be greater than a nuisance.  At the same time, such a display of advertising imposes a burden on the user concerned in any event
• a practice consisting of displaying an email advertising message in a form similar to that of real email falls within the concept of "persistent and unwanted solicitations" within the meaning of the Unfair Commercial Practices Directive if the messages occur sufficiently frequently to be classified as persistent and if prior consent to their receipt has not been given.

It will be interesting to see how the referring court rules on the issue of whether or not consent to the communications had been received.

Government consultations on UK cybersecurity framework

• The government has published its 2022 Cyber Security Incentives and Regulation report which sets out how the government can strengthen cyber resilience.  Alongside this it is consulting on proposals for legislation to improve the UK's cyber resilience, and on embedding standards and pathways across the cyber profession by 2025.

Proposals for new laws to strengthen cyber resilience of UK businesses

The government is consulting on new laws to drive up security standards in outsourced IT services, and to make improvements in the way organisations report cybersecurity incidents. The consultation closes on 10 April 2022.

Central to the proposals are plans to expand and reform the NIS Regulations 2018, including by:

• extending their scope to include managed services
• requiring large companies to provide better incident reporting to regulators such as Ofcom, Ofgem and the ICO, including by requiring notification of all cyberattacks and not just those incidents which impact their services
• giving the government the ability to update the Regulations and, if necessary, bring more organisations which provide critical support to essential services in scope
• transfer all relevant costs incurred by regulators for enforcing the NIS Regulations from the taxpayer to the organisations covered by the legislation to create a more flexible finance system and reduce the burden on the taxpayer
• update the regulatory regime so that the most critical digital service providers in the economy have to demonstrate proactively to the ICO that they are following the Regulations while other organisations will be subject to a lighter-touch reactive approach.
  
  See here for more detail.

Embedding standards and pathways across the cyberprofession by 2025

This consultation is open until 20 March 2022 and focuses on proposals to standardise qualifications and certifications across the cybersecurity profession. The consultation asks for views on how best to ensure that UK Cyber Security Council launched in May last year, fulfils its goals.  The Council was set up to act as the professional body for cybersecurity workers.  The consultation aims to engage on ways to allow the Council to define and recognise cybersecurity job titles and link them to existing qualifications and certifications.  The consultation also looks at ways to tackle the scale and diversity of the skills shortage.

EDPS calls for stricter rules on online targeting for political advertising

The EDPS has published an Opinion on the proposed Regulation on Transparency and Targeting for Political Purposes.  The EDPS suggests legislators consider stricter rules in addition to the measures already proposed.  These should include a full ban on microtargeting for political purposes, and a ban on pervasive tracking for political purposes.  This should involve further restrictions on which categories can be processed for political advertising purposes, including for targeting and amplification.

ICO supports use of end-to-end encryption

A government-funded campaign to put pressure on social media companies to delay bringing in end-to-end encryption (E2EE) was launched last week.  The government reportedly spent over £500,000 to promote the campaign which asks for a delay in introducing E2EE until safeguards to protect children from abusers are put in place.  Meta recently announced a delay to its plans to extend E2EE across its platforms and the campaign asks for assurances on what safeguards will be put in place.

The ICO responded to this arguing that E2EE serves an important role in safeguarding privacy and online safety.  The ICO suggested the debate about the merits or otherwise of E2EE has become too unbalanced with a focus on the costs at the expense of a consideration of the benefits.  The ICO went on to say that law enforcers have a variety of methods to catch abusers and do not need to rely on access to encrypted content, concluding "it is hard to see any case for reconsidering the use of E2EE – delaying its use leaves everyone at risk including children".

News as at 20 January 2022

Exporters of Google Analytics data to USA breach GDPR, says Austrian DPA

The Austrian Data Protection Authority, the DSB, has reportedly said that using Google Analytics breaches EU law on data exports in a decision published by the claimant NOYB (the privacy group spearheaded by Max Schrems).

The complaint alleged that Google as data importer, and a website provider as exporter, breached Article 44 GDPR when moving Google Analytics data from the EU to the USA as it was vulnerable to access by US intelligence authorities.  Google argued that the data was not personal data and that Chapter V of the GDPR was not applicable to data importers. 

The DSB agreed that the export of the data did breach the GDPR.  In particular, it found the supplementary measures used by Google in conjunction with Standard Contractual Clauses do not adequately address specific issues with data transfers to the USA and the potential access to data by US intelligence authorities.  The DSB held that the transfers were not adequately protected.  Moreover, the exporter could not rely on an Article 49 exemption.  The transfers therefore took place in breach of Article 44 GDPR. 

The DSB did, however, agree with Google that Chapter V of the GDPR applies only to exporters and that it was the exporter who was solely liable for the breach.  No fine has been issued to date.

Earlier in the week, the EDPS reached a similar decision with regard to the use of Google Analytics and payment provider Stripe by the European Parliament in relation to its COVID testing website.

Google issued a robust response in a blog post, arguing that there was a fundamental misunderstanding of the way Google Analytics worked.  It said that:

• Google Analytics does not track people or profile them across the internet. It helps organisations understand how their services and apps are used by collecting information like the type of browser and device used, how much time visitors spend on the site or app, and roughly where in the world they come from. The data is never used by Google to identify a person. Customers are prohibited from uploading information which might enable Google to identify individuals and are provided with deletion tools if they inadvertently do so.
• Organisations control the data they collect using Google Analytics and Google processes the data in accordance with its customers' instructions. Organisations can control whether Google is permitted to use analytics data for its own further specified purposes such as technical support or to improve its products and services as these require specific opt-in.
• Google Analytics provides customers with a range of privacy controls and resources including IP anonymisation, deletion and set retention periods.
• Google Analytics allows users to disable Google Analytics using its add-on.  It also requires its customers to inform users about their use of analytics.
• Google Analytics cannot be used to target ads based on special personal data.

• Google uses a number of supplementary measures in addition to SCCs for data transfers.  These include anonymising IP addresses before data leaves Europe, using data encryption, technical measures to prevent interception in transit, and international security standards.

The defendants have four weeks from the date of the decision to appeal it.

CNIL guidance on processor reuse of data supplied by controller

The CNIL has published guidance on when and for what purposes processors may use personal data supplied by controllers for their own purposes.  The CNIL says data can only be reused by processors where strict conditions are met.

• Firstly, explicit written consent to the reuse must be obtained from the relevant controller.  When seeking consent, the processor must specify how and why the personal data will be reused and ensure there is scope for this in their customer agreements. 
• Before giving consent, the controller is required to consider whether the processors' new purposes constitute processing which is compatible with the original purposes for processing, unless the lawful basis it relied on for the initial processing was consent. The controller cannot give general permission for reuse.  The CNIL suggests by way of example, that reuse of data to improve cloud services would probably be compatible, whereas use for direct marketing would not be. 
• If the initial controller decides the further processing is incompatible, it must refuse permission. Where it determines the further processing is compatible, it has discretion as to whether or not to grant permission for reuse by the processor.
• Where the initial controller's lawful basis was consent, the processor needs to get fresh consent from relevant data subjects to further processing.
• The processor will become the controller of the data with respect to any further processing and will need its own lawful basis for the processing.
• It is the initial controller's responsibility to inform the data subjects of the further processing (and of the right to object where it applies).

The guidance suggests current market practice general clauses around further processing, both in DPAs and in data subject-facing policies, will not be sufficient to permit further processing by processors. The guidance requires a high level of decision making by controllers and detailed information both from processor to controller and controller to data subject. While this is French guidance, it is likely to be influential with other regulators.

Class action launched against Meta

A class action has been launched against Meta (Facebook's parent company) at the Competition Appeal Tribunal under the Consumer Rights Act 2015.  It alleges that Meta abused its market dominance by setting an unfair price for the free use of Facebook in the form of the personal data it collects from users. The class includes all people domiciled in the UK who used Facebook at least once between 1 October 2015 and 31 December 2019 unless they opt out.  The claim is said to be worth USD 2.3 billion and is being backed by litigation funder Innsworth.

The action is based on the assertion that at the relevant time, there was no other comparable social platform and that Facebook generated massive revenues by tracking users across the internet, getting a disproportionate value compared to the value received by the user of the Facebook platform. The allegation is that although there are privacy controls available to data subjects, they are difficult to use, and that Facebook is not sufficiently transparent about the way data is used. It therefore imposes unfair terms and conditions.

Facebook argues that users get an appropriate value and that they have meaningful control over their data. Meta is also facing FTC action in the US on anti-trust issues.

It remains to be seen whether this claim under the Consumer Rights Act is more successful than the representative class action claim made in Lloyd v Google under the old Data Protection Act 1998. The claim in Lloyd v Google failed, in part, because the claimant could not demonstrate a common issue among the class.  There was no evidence to suggest members of the class had suffered a uniform impact of the data processing, nor that they had all suffered the same level of damages. This is also likely to be true of Facebook users.  A one-time user of the platform under maximum privacy settings, would have different exposure to a constant user with open privacy settings. Moreover, the latter may have suffered less distress than the former.

News as at 13 January 2022

CNIL fines Google and Facebook for breach of consent

The French data protection authority, the CNIL, has fined Google EUR150 million and Facebook EUR60 million for failing to meet consent requirements to cookies on Facebook, Google and YouTube in France.  The CNIL said failure to make it as easy to reject cookies as to accept them meant that consent to cookies was invalid in breach of Article 82 of the French Data Protection Act.  While the sites required only one click to accept cookies, several clicks were required to reject all of them.

In assessing the amount of the fines, the CNIL took into consideration the number of users, the revenue the companies raised from advertising indirectly generated by the data collected from the cookies, and the fact that it had repeatedly warned Google and Facebook that they were in breach of the requirements.  The CNIL also requires Google and Facebook to make it as easy to reject as to accept cookies within three months, after which they will face penalties of EUR100,000 per day of non-compliance.

As the decision relates to requirements under the French implementation of the Privacy and Electronic Communications Directive, it is specific to France.  Consent to cookies under PECR became enhanced GDPR consent when the GDPR came into effect.

It will be interesting to see how this decision impacts other EU versions of the Google and Facebook sites.  Not to mention the fact that Google and Facebook are far from alone in making it easier to accept than to reject cookies.

WhatsApp appeal of EUR 225 million fine published

In 2021, the Irish Data Protection Commission fined WhatsApp EUR225 million for breaches of the GDPR. The fine related to breaches of transparency requirements, particularly relating to the sharing of WhatsApp data with its parent company Facebook. 

The Irish regulator, acting as Lead Supervisory Authority, had originally intended a lower fine of between EUR 30-50 million, however, its provisional decision was rejected by other regulators.  The EDPB subsequently issued a binding decision under the Article 65 procedure requiring the fine to be increased.  It also specified that WhatsApp be given a reduced time of three months to take required remedial actions in relation to its privacy practices.

WhatsApp's appeal to the CJEU has now been published.  It is asking the CJEU to annul the penalty and to allow it to recover costs arguing that the EDPB:

• exceeded its competence under Article 65 GDPR
• over-interpreted transparency requirements by requiring WhatsApp to provide unrequired information
• interpreted and applied the term "personal data" excessively
• violated the presumption of innocence under Article 48 of the Charter of Fundamental Rights by inappropriately shifting the burden of proof onto WhatsApp to demonstrate its processing environment is such that the risk of re-identifying individuals is purely speculative
• infringed the right to good administration (Article 41 of the Charter) by disregarding WhatsApp's right to be heard and by failing to examine evidence impartially and carefully and not giving adequate reasons
• violated Article 83 GDPR when assessing the amount of the fine, and
• violated the principle of legal certainty by failing to acknowledge its decision put forward novel interpretations and application of several provisions of the GDPR with the result that the infringement was unpredictable.

It will be very interesting to see how this progresses.

Additional penalties to EUR 768 million Amazon fine suspended

The Administrative Court of Luxembourg has suspended the requirement for Amazon to make changes to its data processing in relation to targeted advertising by 15 January on pain of daily penalties.  In July 2021, Amazon was fined a record EUR 768 million for transparency failings regarding targeted advertising.  Amazon is appealing the fine but also appealed the requirement to make changes by 15 January, arguing that it could not comply due to a lack of clarity as to what it was being asked to do.  The Court acknowledged that the requirements made by the Luxembourg DPA were insufficiently clear or precise and suspended the compliance deadline.

EDPS imposes six month data retention period on Europol

The EDPS has said Europol must delete data concerning individuals with no established link to a criminal activity after six months.  This order concludes an investigation into Europol's data retention practices started in 2019.  The EDPS said Europol had failed to comply with its request to introduce an appropriate data retention period to filter and extract the personal data it was allowed to retain, in breach of the principles of data minimisation and storage limitation under the Europol Regulation.  Europol has 12 months to comply in relation to datasets received before the EDPS Decision.

According to the Guardian, Europol has four petabytes of data which has led to accusations of mass surveillance.

News as at 6 January 2022

UK Cyber Strategy published

The government has published its National Cyber Strategy 2022, setting out a five year plan underpinned by £2.6 billion of investment.  The Strategy is built around five pillars involving strengthening the UK's cyber ecosystem and associated technologies.  Targeted, sector-focused legislation may follow where needed, particularly in relation  to providers of essential and digital services, data protection in the wider economy, and large businesses.  

As part of the strategy, the government has published the Product Security and Telecommunications Infrastructure Bill (see below).

Product Security and Telecommunications Infrastructure Bill introduced to Parliament

The Product Security and Telecommunications Infrastructure Bill (PSTI) has been introduced to Parliament.  It will govern the security of consumer connectable devices and speed up the roll out of faster and more reliable broadband and mobile networks by making it easier for operators to upgrade and share infrastructure.

The PTSI will apply to manufacturers and retailers (both on and offline) and will cover connectable products which includes all devices which can access the internet and products which can connect to multiple other devices but not directly to the internet (such as smart light bulbs, smart thermostats and wearable fitness trackers).

The PTSI will give the government the power to bring in tougher security standards for device makers including:

• a ban on 'easy-to-guess' default passwords pre-loaded on new devices - all passwords will need to be unique and not resettable to a universal factory setting

• a requirement for connectable product manufacturers to tell customers at point of sale, and keep them updated, about the minimum amount of time a product will receive security updates and patches. If none, then that must be clear

• a requirement on manufacturers to provide a public point of contact for reporting of security flaws and bugs.

In-scope businesses will be required to produce statements of compliance, investigate compliance failures, and maintain related records.

The new regime will be overseen by a yet to be designated regulator who will have the power to fine companies up to £10 million or 4% of annual global turnover, as well as up to £20,000 per day for non-compliance.

NIS Regulations 2021 amend incident reporting thresholds for DSPs

The Network and Information Systems (EU Exit) (Amendment) Regulations 2021 have been made and will come into force on 12 January. They amend the incident reporting thresholds for relevant digital service providers as the previous thresholds established when the UK was in the EU, are no longer suitable.  The Regulations amend Article 4 of the retained EU Implementing Regulation and provide for the ICO to set thresholds.  Regulation 12 also requires relevant Digital Service Providers to have regard to ICO guidance when deciding whether or not they need to report an incident.  

The ICO's consultation on replacing the outdoing thresholds concluded in October 2021.  It focused on either replacing the numerical thresholds with UK-relevant ones, or on introducing risk-based indicative and relative thresholds.  While the ICO has said final guidance will be in place by the time the new Regulations come into force, the legislation will continue to work without this as it already contains metrics for DSPs to take into account when assessing the impact of an incident and whether or not to report it.

ICO consultation on Regulatory action policy and statutory guidance

The ICO is consulting on its Regulatory action policy across the laws it monitors and enforces, including the UK GDPR, the DPA18, PECR and the FOIA. The policy looks at the ICO's general approach to regulatory action and explains factors it takes into consideration when taking regulatory and enforcement action. The consultation also covers the ICO's statutory guidance on regulatory action and on PECR powers.  

The consultation closes on 24 March 2022.

South Korea gets EU adequacy

The European Commission has adopted an adequacy decision in favour of South Korea.  Personal data can now be transferred to South Korea from the EU without the need for additional transfer mechanisms.  It remains to be seen whether the ICO will now adopt an equivalent decision to enable the free flow of personal data to South Korea from the UK.

Regulations reforming the DPA18 immigration exemption

The Court of Appeal last year ruled the immigration exemption in paragraph 4 of part 1, Schedule 2 of the Data Protection Act 2018, unlawful.  This exempts controllers from needing to comply with specified provisions of the DPA18 and the UK GDPR, where personal data is processed for the maintenance of effective immigration control or the investigation or detection of activities which would undermine effective immigration control, to the extent that compliance would prejudice these measures. The effect of this decision was stayed temporarily to allow the government to make changes to the law.

‍Regulations reforming the unlawful immigration exemption under the Data Protection Act 2018 have now been laid before Parliament. They must come into force by the end of January 2022.

Under the new Regulations, in order to rely on the exemption, the Secretary of State must put in place an immigration exemption policy document outlining the process for deciding whether or not the exemption applies, and ensuring that personal data is not processed contrary to the UK GDPR.  The exemption must be applied on a case by case basis in accordance with the policy document. Records must be kept of decisions and the reasoning behind them, and data subjects must be informed of the decision unless that would be prejudicial to specified purposes.

The immigration exemption had long been cited as a potential EU adequacy issue so, given the EU adequacy decision can be reviewed and withdrawn at any time, the reform is welcome.

ICO consultation on draft guidance on rights of access to law enforcement data

The ICO is consulting on its draft guidance on rights of access by individuals to their data held for law enforcement purposes under Part 3 of the Data Protection Act 2018. The guidance is aimed at DPOs and those with data protection responsibilities in the context of law enforcement processing and is intended to be read in conjunction with the ICO's guidance on subject access rights more generally.  It explains the right of access and provides advice on how to recognise a SAR made under Part 3.  It looks at how to respond, when exceptions might apply, the issue of acting as a joint controller, and at when the information requested includes information about third parties.

EDPB final guidelines on data breach notifications

The EDPB has adopted a final version of its Guidelines on examples regarding data breach notifications. The guidelines are intended to complement the Article 29 Working party guidance by providing more practical examples. They are intended to help controllers decide how to handle breaches and conduct risk assessments.

Grindr fine reduced from £8.6 to £5.5 million

The Norwegian DPA has confirmed the final penalty imposed on Grindr for data protection failings. The fine was originally set at around £8.6 million after the Norwegian regulator found the dating app had failed to get valid consent to disclosure of user data to third parties for targeted advertising purposes.  Data disclosed included special data.  Grindr has since changed its consent collection mechanism.

More work to be done on India's new data protection law

A Joint Parliamentary Committee report on India's Personal Data Protection Bill has made 81 recommendations and 151 corrections and amendments to the current draft.  The two chambers have until the end of the Winter 2023 session to consider and approve the report before acting on the Bill although it may be considered at any time.  This suggests we are unlikely to see enactment any time soon.

UAE federal data protection law in force

The UAE's new federal data protection law came into force on 2 January 2022.  It applies to controllers and processors located in the UAE and to those processing the personal data of individuals located in the UAE.  There are many similarities with the (UK) GDPR, however, the main lawful processing basis is consent as there is no legitimate interests basis.  Transparency requirements are more limited and there is no requirement to provide a privacy policy.  There are, however, more onerous data processing record keeping requirements.

International transfers of personal data can take place to countries which have an agreement with the UAE, or under data transfer clauses, with the consent of the data subject, or where necessary to fulfil a contract with the data subject.

The UAE has also established a new UAE data office to regulate compliance.

Irish Data Protection Commissioner guidelines on children's privacy

The Irish data protection regulator has published final guidelines on processing children's personal data. The guidance sets out best practice and principles to follow to protect children when processing their data.  It identifies 14 'Fundamentals' focusing on transparency, consent and empowerment.