This month in review:
Our key news has to be the ever-changing position on AI. With a UK Global Summit, the ICO reviewing and issuing warnings regarding AI use and new guidance coming on neurotech, it's still very topical.
Focusing in on some specific areas:
- New ICO Privacy Enhancing Technologies guidance – assessing how hardware and software can assist in applying core data protection principles and concepts into practice, and aimed at those in the finance, healthcare, research and central and local Government sectors in particular. Moving beyond paper process to operationalisation is a key challenge.
- Aligned with that is the launch of the ICO's new Innovation Advice Service – allowing the ICO to assist in answering topical and complex questions on emerging technology.
- For all employers: DSARs – The ICO issued new guidance around handling data subject access requests to assist employers with FAQs – read more below.
- Data transfers – the UK and US announced an intended data bridge.
Our contents this month:
- General updates
- Adtech and direct marketing
- AI and Innovation
- Cyber and ransomware
- Employment and Data Subject Rights
- Data transfers
- Public sector
General updates
Back to top >
UK – ICO launches new Privacy Enhancing Technologies (PETs) guidance
The ICO launched its new privacy enhancing technologies ("PETs") guidance on 19 June 2023. The guidance is aimed at organisations processing large personal data sets in finance, healthcare, research and central and local Government – and stresses the opportunities which these types of software and hardware technologies are able to open. PETs are linked to the "data protection by design and default" requirement as well as the core Data Protection Principles, and are relevant when considering the technical and organisational measures (TOMs) in place amongst many other things.
EU – European Commission proposes new rules to modernise payment services and open financial services data
The European Commission, on 28 June 2023, announced proposals to further improve consumer protection and competition in electronic payments, by empowering consumers to share their data in a secure way to access a varied offering of financial products and services. The developments seek to ensure that the measures in place are capable of adapting to the ongoing digital transformation, including both the opportunities and risks presented.
The two sets of measures proposed include:
- Revising the Payment Services Directive, to allow payment service providers to share fraud-related information between themselves and improve customers' control over their payment data; and
- Legislative proposal for a framework for Financial Data Access, including: permitting customers to share their data with data users; obligation for customer data holders to make this data available to data users; full control by customers over who accesses their data and for what purpose; standardisation of customer data and the required technical interfaces; clear liability regimes for data breaches and dispute resolution mechanisms; and additional incentives for data holders to put in place high-quality interfaces for data users.
EU – EDPB adopts guidelines on the calculation of administrative fines following public consultation
During its most recent meeting, the EDPB adopted the guidelines on the calculation of administrative fines following public consultation. The guidelines set out a five-step methodology which aims to build more efficient cooperation among data protection authorities and includes harmonised "starting points".
The five-step methodology, at a high-level, involves:
- Step 1: identifying the processing operations and evaluating the application of Article 83(3) GDPR.
- Step 2: finding the starting point for further calculation based on an evaluation of:
- a) the classification in Article 83(4)–(6) GDPR;
- b) the seriousness of the infringement pursuant to Article 83(2)(a), (b) and (g) GDPR; and
- c) the turnover of the undertaking as one relevant element to take into consideration with a view to imposing an effective, dissuasive and proportionate fine, pursuant to Article 83(1) GDPR.
- Step 3: evaluating the aggravating and mitigating circumstances related to the organisation's behaviour and amending the fine accordingly.
- Step 4: identifying the relevant legal maximums for the different processing operations. An increase applied in other steps cannot exceed this amount.
- Step 5: analysing whether the final amount of the fine meets the requirements of effectiveness, dissuasiveness and proportionality, as required by Article 83(1) GDPR. The fine should be increased or decreased accordingly.
Ireland – New Irish law could make data protection procedures confidential
Through a last-minute amendment to the Courts and Civil Law (Miscellaneous Provisions) Bill 2022, the Irish Data Protection Commission may be provided with discretion to classify their procedures as confidential. Although the proposal has already faced criticism for hindering public discussion, to utilise the provision the DPC must identify the specific information and the specific reasons by reference to the definition of confidential information.
Adtech and direct marketing
Back to top >
UK – ICO fines two energy companies a combined £250,000 for making unlawful marketing calls
Further to our May 2023 update, which included the ICO's fines totalling £180,000 to two firms, the ICO again issue further fines for unlawful marketing calls. Maxen Power Supply Ltd was fined £120,000 following 100 complaints made to the ICO and the Telephone Preference Service (TPS). Crown Glazing Ltd was fined £130,000 for making more than 500,000 calls to people registered with the TPS. Both organisations made unsolicited marketing calls while falsely claiming to represent other organisations.
Andy Curry, Head of Investigations at the ICO, stated "This fine should send a clear message that companies cannot avoid the law and avoid detection by the use of third-parties and overseas call centres. The ICO will continue to take action to ensure both the public and UK businesses are protected".
EU – "Behavioural retargeting" organisation fined €40,000,000 by CNIL in cross-border case
The organisation fined CRITEO, specialises in “behavioural retargeting": tracking the navigation of internet users in order to display personalised advertisements. CRITEO collected the browsing data of internet users via the CRITEO cookie which is placed on their terminals when they visit certain partner websites. CNIL found that CRITEO breached GDPR in five areas, failure to: demonstrate that the person has given consent (Article 7.1 GDPR); comply with the obligation of information and transparency (Articles 12 and 13 GDPR); respect the right of access (Article 15.1 GDPR); comply with the right to withdraw consent and erasure of data (Articles 7.3 and 17.1 GDPR); and provide for an agreement between joint controllers (Article 26 GDPR).
AI and innovation
Back to top >
UK – "Real danger" of discrimination posed by neurotech: ICO
The ICO, in its recent news article, warned of the risks of bias and discrimination posed by newly emerging neurotechnologies. Neurotech involves the use of technology to monitor neurodata, which is the information coming directly from the brain and nervous system. Whilst neurotech is already used in the healthcare sector, the ICO predict that it will become more widespread over the next decade as neurotechnologies are rapidly developing in the personal wellbeing, sports and marketing sectors. The ICO warning is that, if not developed and tested on a wide enough range of people, the risk of inherent bias or inaccurate data being embedded will arise. The ICO is developing specific neurodata guidance.
UK – ICO reviewing use of generative AI and urges caution
Generative AI creates content by collecting sets of data, sometimes publicly accessible data from sources online, including personal information. The ICO has issued a warning to businesses to address the privacy risks that generative AI can bring, before rushing to implement it.
Stephen Almond, Exec Director of Regulatory Risk at ICO, commented that: "Businesses are right to see the opportunity that generative AI offers, whether to create better services for customers or to cut the costs of their services. But they must not be blind to the privacy risks." You can read the full article here.
UK – The ICO's new innovation advice service
The ICO has launched a direct service for organisations using new or innovative technologies or services involving personal data. Although the service is available to all organisations to ask questions about an innovative project using personal data, the ICO suggests that new technologies might include the use of: artificial intelligence or machine learning; biometric or genetic data; or privacy enhancing technologies. Anonymised versions of questions and answers will be published here.
UK will host the first global summit on Artificial Intelligence
The rapid development and implementation of AI presents challenges and opportunities, and the UK will bring together key countries, leading tech companies and researchers to agree safety measures to evaluate and monitor the most significant risks presented by AI. The announcement confirms that the summit is expected to be hosted this autumn.
Cyber and ransomware
Back to top >
MOVEit hack
Beginning on 5 June, a growing number of organisations started to announce that their organisations are affected by the exploitation of a vulnerability in the MOVEit file transfer software. It first came to light when a US company, Progress Software, reported that threat actors had accessed the MOVEit Transfer tool it developed. The MOVEit software transfers sensitive files, which include employee and customer data in many instances.
The Cl0p ransomware group publicly announced that they were responsible for the attacks and via their 'leak site' on the Dark Web invited affected organisations to make contact with them in order to commence negotiations. The global nature, and volume of organisations and individuals impacted, serve as a reminder of the importance of supply-chain security, including the implications on third party agreements and international transfer provisions. This shows a trend towards not just supply chain attack, but component-level attack hitting many organisations at once.
Employment and Data Subject Rights
Back to top >
UK – ICO issues new resource for employers dealing with data subject rights requests
The ICO issued new guidance aimed at employers responding to DSARs. The Q&A covers a broad range of topics specific to an employee DSAR, namely:
- What is a DSAR and does it have to be submitted in a prescribed format?
- Can employers seek clarification?
- When can an employer seek to rely on an exemption?
- What implication, if any, does a non-disclosure agreement have?
- Does a tribunal or grievance process impact a DSAR?
- Should email and social media platforms be included in a search?
- How should an employer deal with a CCTV request?
- What next steps are there for the employee if they are not satisfied with the response?
We often advise our clients in respect of routine and contentious data subject rights requests, and the appropriate course of action to take in your unique circumstances.
Data transfers
Back to top >
noyb submits complaint over alleged telephone data misuse
noyb has submitted a complaint to the Belgian data protection authority against two US-based companies (BISC, a telecommunications provider, and TeleSign, a fraud prevention firm). noyb allege that the organisations improperly collected and shared data about European residents between them. The complaint relates to the proportionality and retention of the data collected, and alleged that TeleSign is undertaking profiling using predictive algorithms.
UK – US data bridge
Both the UK and US Governments issued a joint statement on 8 June 2023 to announce that both countries have committed, in principle, to establish a data bridge. The statement marks the UK’s intention to establish a data bridge for the UK extension to the EU-US Data Privacy Framework. This would allow for the free flow of personal data between the UK and certified organisations in the US, which will promote the use and exchange of data between the two.
Public sector
Back to top >
UK – reprimand to police for releasing witness details to suspected criminals
The ICO issued a reprimand to a police force after details were released which led to suspected criminals learning the address of a witness. The witness was required to move house, and remains under a high impact and risk. The police force is required to take action to comply with data protection law, including: providing training to all relevant staff; sharing updates to their policies and procedures as they become available; and continuing reviewing policies and guidance on handling personal data.
UK – ICO takes action against local authority for failing to respond to Freedom of Information requests
The ICO reprimanded a local authority for its poor handling of Freedom of Information Requests. The ICO previously asked the Council to improve its compliance with the Freedom of Information Act (FOIA) 2000. The Council's June 2023 update showed that progress had not been maintained, and performance actually declined. The enforcement notice requires the Council to respond to all outstanding requests over 20 working days old, no later than six months from the date of the notice, and to devise and publish an action plan to mitigate any future delays to FOI requests, within 35 days from the date of the notice.
Please also see our articles on Privacy Enhancing Technologies, AI and DSARs above.
If you have any questions relating to this article please reach out to our authors below.