In review:
The key themes over the last two months focus on regulatory matters, particularly in relation to cookies, direct marketing communications, the right of access and data breaches across the UK and EU. The European Commission (EC) has announced that it is reviewing the EU-US Data Privacy Framework (DPF) for the first time since its implementation in July 2023. There have also been developments in relation to the use of AI technology, particularly within the education sector, and cybersecurity, such as the designation of UK data centres as "Critical National Infrastructure".
Our trends
Over the last two months, we have identified some key themes emerging from our work with clients. We thought we would share these to provoke some thoughts amongst readers:
-
Data breaches – we have continued to work closely with our clients to provide them with support and strategic advice through the challenging circumstances brought by data breaches.
-
Privacy notices and cookies – we have advised a range of clients in relation to their privacy notices and use of cookie technology to improve their compliance with their obligations under the UK GDPR and the Privacy and Electronic Communications Regulations 2003 (PECR).
-
Contracts – we have also advised various clients on the correct transfer terms and mechanisms in contracts governing international transfers of personal data, as well as appropriate data protection terms to include in data sharing and data processing agreements.
Our contents this month:
Our events and articles
Back to top >
Data Protection and Cyber Security Breakfast Briefing
On the 26 September 2024, we hosted our latest Breakfast Briefing on the application of the data protection principles to the use of AI technology. This session explored the ways in which organisations can ensure they comply with their obligations under the new EU AI Act and the benefits of introducing an internal AI governance programme. In case you missed this session, you can read our blog here.
Our next Breakfast Briefing will take place online on 31 October 2024 and will focus on the strategies that businesses can deploy to manage data subject access requests (DSARs) more effectively. If you are interested in attending and being part of our next event, please let us know by registering your interest with your usual DWF Data Protection & Cyber Security contact or by sending an email to dpcs@dwf.law.
The big question: How to regulate the net
Olivia O'Kane discusses the new Labour government’s 'Digital Information and Smart Data Bill' and how it is expected to enhance digital governance and online safety. Read the article here for more insights on online platform liability and the emerging challenges in online regulation.
Risk Matters Podcast: Cyber Incident Response
You may have seen from our previous insight articles that DWF’s Global Risk Team host a ‘Risk Matters Podcast’. The team are joined by Oliver Price, from Cybersecurity Advisory practice S-RM, and DWF’s Data Protection and Cyber Security Director, Jamie Taylor, to explore the complexities within the cyber incident response landscape. Parts 1 and 2 of the Cyber Incident Response podcasts are now live and can be watched here.
General updates
Back to top >
UK: Data Protection Fee Regime: Proposed Changes
The Department for Science, Innovation and Technology (DSIT) and the ICO have sought feedback on the Government's proposals to amend the data protection fees payable by data controllers to the ICO, for the first time since their introduction in 2018. The highest increase is for tier 3 controllers (£1,079) with minimal increases for tier 1 and tier 2 controllers. The consultation has now closed but you can read more about the proposal here.
EU: noyb sues Hamburg DPA's decision on 'Pay or OK' model
Max Schrems' privacy activist group, Noyb, has filed a lawsuit against the Hamburg Data Protection Authority (DPA) over its decision to approve the controversial 'Pay or OK' model used by the German news magazine, DER SPIEGEL. This model requires users to either agree to their personal data being used for advertising purposes or pay a subscription fee to access content ad-free. One of the concerns raised by this case is whether the Hamburg DPA acted more as a legal advisor than an impartial investigator.
UK: ICO publishes a report on tackling barriers to privacy-enhancing technologies (PETs)
The report explores the ICO's research on the challenges faced by organisations when adopting PETs, such as a lack of awareness of the technology, limited understanding of the risks, costs and benefits, and regulatory uncertainty. The report also provides several recommendations to help a range of different types of organisations to overcome these burdens, which includes commitment from the ICO's to publish further PET guidance and case studies.
UK: ICO release ‘Data Controller Study’
On 5 September 2024, the ICO released its “Data Controller Study” to understand more about data controllers' activities and views on data protection. Key findings reveal that whilst some organisations see data protection law positively, others view it as a constraint on their business activities. Common challenges faced by organisations include cybersecurity-related issues and the lack of expertise or staff training as barriers to adopt new technologies.
EU: Court of Justice of the European Union (CJEU) publishes judgment on lawfulness of processing for the performance of a contract
In a recent judgment, the CJEU ruled that the processing of personal data for the performance of a contract (under Article 6(1)(b)) requires such processing to be “essential for the proper performance of the contract concluded between the controller and the data subject”. Click here to read the full judgment, which also reiterates the rules around legitimate interests and legal obligation as the lawful bases for the processing of personal data.
EU: New guidance to be developed on the relationship between the GDPR and Digital Markets Act (DMA)
On 10 September 2024, the European Data Protection Board announced that it has agreed to work with the EU Commission to create guidance to ensure compatibility and consistency between the application of the GDPR and the DMA.
UK: Government publishes report on the influence of cookie settings on user privacy decisions
On 4 September 2024, the DSIT published their report which evaluates the ways in which cookie settings can influence user decisions. Notably, most participants accepted “all cookies” when presented with a neutral website-level cookie banner, but the report raises concerns that this was generally “out of habit” and “because it was the fasted option”. Read the report in more detail here.
UK: ICO reprimand Sky Betting and Gaming for using cookies without consent
The ICO found that between 10 January 2023 – 3 March 2023, Sky Betting and Gaming had deployed advertising cookies on the SkyBet website and shared personal data with advertisement companies before users were able to accept or reject to such cookies. The ICO also noted that Sky Betting and Gaming had promptly rectified the issue in March 2023.
EU: EDPB calls for expression of interest for event on 'Consent or Pay' guidelines
The EDPB has announced a call for expression of interest for stakeholders with relevant expertise to participate for their upcoming event on 'Consent or Pay' models, in help them develop their upcoming guidelines in this area. The event is to take place remotely on 18 November 2024 and registration is on a first-come first-served basis. Click here for more details or to register your interest.
Adtech and direct marketing
Back to top >
EU: Belgium DPA fines a company €8,000 for unlawful direct marketing communications
The Belgium DPA's investigation followed a complaint made by an individual which alleged that the company had continued to send them "commercial" emails, despite exercising their right to erasure under the GDPR. As such, the Belgium DPA found that whilst the company had a legitimate interest in sending "commercial" emails to the complainant, it had failed to provide the complainant with: (a) notification of their right to object to receiving direct marketing communications; and (b) transparent information regarding how their personal data was processed by the company. The decision (only available in Dutch) can be viewed here.
UK: ICO fines a company £40,000 for unsolicited direct marketing communications
Following an investigation conducted by the ICO, Coastal Windows & Conservatories UK LTD (CWC) was fined £40,000 for making over 18,000 unsolicited direct marketing calls to subscribers who had registered with the TPS. The ICO has also requested that CWC revise their procedures to ensure valid consent is received from individuals prior to making unsolicited direct marketing calls.
AI and innovation
Back to top >
UK: AI Safety Institute (AISI) announces research initiatives on AI "safety cases" for AI models
On 23 August 2024, the AISI announced that it plans to develop various "safety cases" for advanced AI models (AAIM), following concerns around the safety of AAIM within the context of training or deployment and the risks associated with the loss of control and autonomy. The "safety cases" will be based on a range of both positive and negative evidence, including searches for "countercases", "red teaming" and "blue teaming", to establish whether an AI system is safe within the context of training and deployment.
UK: Government publishes reports on generative AI in education
On 28 August 2024, the Department for Education published two reports on the insights from teachers, leaders, and pupils on the possible uses of generative AI in education.
The first of the two reports can be read here; this is a user research report detailing the findings of the "generative AI hackathons" project, which explored the potential applications of generative AI in the education sector. Whilst there were high levels of interest in using AI for feedback, there were some concerns around the tool being "over trusted" and interfering with teachers' professional judgements. The second report can be found here; this technical report details the experimentation work undertaken as part of the project and focuses on identifying optimal ways in which generative AI tools could be used to assist teachers in their job roles.
EU: Parliament releases Briefing EU Legislation in Progress paper on EU AI Act
On 2 September 2024, the European Parliament published their briefing paper which provides an overview of the regulation of AI under the new EU AI Act, as well as the views and concerns key personnel, including Advisory committees, national Parliaments, key stakeholders and academics.
Cyber, breach and ransomware
Back to top >
UK: National Cyber Security Centre (NCSC) announces changes to Active Cyber Defence programme (ACD)
On 2 August 2024, the NCSC announced that there would be a new version of their ACD programme (ACD 2.0) which aims to mitigate harms caused by commodity cyberattacks. To support this, the NCSC has invited UK organisations who have deployed cyber deception solutions (such as 'tripwires', 'honeypots' and 'breadcrumbs') to reach out with details on how these operate within their practice.
Spain: AEPD fines a retailer €270,000 following a data breach regarding payroll information
On 12 August 2024, the AEPD fined a retailer €450,000 following a complaint from an individual who had requested their payroll information for July but had instead received the payroll information relating to the entire workforce. The AEPD found that the data breach violated Article 5 (the integrity and confidentiality principle) and Article 32 (security of processing). The fine was, however, reduced to €270,000 due to the retailer's voluntary payment and acknowledgement of responsibility.
UK: ICO provisionally fines a software provider £6m following ransomware attack on NHS and social care services
This provisional decision follows a ransomware attack in August 2022, which resulted in hackers gaining access to a number of systems via a customer account that was not protected by multi-factor authentication. Sensitive personal data (such as medical records) and information on how to enter the homes of over 800 people who were receiving at-home care were exfiltrated, NHS and social care services were disrupted and staff members were unable to access patient records. The ICO published this provisional decision as a way to provide other organisations with information to help them protect personal data securely and avoid similar incidents from happening again.
UK: UK data centres designated as "Critical National Infrastructure"
On 12 September 2024, the DSIT announced that the UK Government has now classed UK data centres (including physical data centres and cloud operators that use them) as "Critical National Infrastructure". This classification means greater protection of data in the UK, particularly against the rising threat of attacks from cyber criminals.
Employment and Data Subject Rights
Back to top >
EU: Belgium DPA fines a telecommunications company for delay in responding to a DSAR
On 23 August 2024, the Belgium DPA fined the company €100,000 for responding to the DSAR 14 months after the request was submitted and failing to forward the request onto their Data Protection Officer, as specifically requested by the data subject. This decision highlights the importance for organisations to ensure their staff are appropriately trained on how to handle data subject rights requests and that there are sufficient procedures in place for doing so.
EU: CJEU publishes Advocate General Opinion on a data subject’s right to access and automated decision-making
In the Opinion, the Advocate General concluded that the obligation to provide "meaningful information about the logic involved" in automated decision-making includes providing a data subject with clear and detailed explanations on how their score was calculated and the reasons for the result. Such information should enable a data subject to verify its accuracy and a casual link between the method and criteria used and the automated decision that was reached. However, a data controller is not required to disclose technical information which is "so complex that it cannot be understood by persons who do not have particular technical expertise" (such as details of the algorithms that are used).
Data Transfers
Back to top >
International: EU Commission reviews the EU-US DPF
The EC has conducted its first review of the EU-US DPR since its adoption on 10 July 2023 and has invited stakeholders to provide their feedback on its functioning (which has now closed). The report is expected to be published soon and we will provide further updates in due course.
EU: Dutch DPA (AP) fines Uber €290m for unlawfully transferring personal data outside the EU
The AP's fine follows a complaint made by a French human rights group, on behalf of more than 170 French Uber drivers, in relation to their personal data (which included trip details, identity documents, health data and criminal offence data) being transferred from the EU to Uber's headquarters in the US without appropriate safeguards in place.
International: Cross-border law enforcement requests
The International Association of Privacy Professionals (IAPP) have recently produced an opinion piece on cross-border law enforcement data requests and how they differ from domestic requests. Important considerations include understanding the laws of both the requesting and receiving country, ensuring sufficient protections are in place (particularly where the countries do not have an adequacy arrangement in place) and the risks to the individuals involved. Examples of ways to manage these risks include ensuring requests are documented in official writing, the identity of the requestor and their reasons for requesting the data are sufficiently clear, the completion of appropriate lawful bases assessments.
EU: EU Commission intends to hold a public consultation on new Standard Contractual Clauses (SCCs) for third country data importers
The European Commission has announced that it plans to seek feedback later this year on the development of new SCCs for scenarios in which the data importer is located in a third country but is subject to the GDPR.
Public sector
Back to top >
UK: ICO reprimand the Labour Party for failing to respond to DSARs
The ICO's investigation followed receipt of over 150 complaints relating the Labour Party's failure to respond to DSARs it had received between November 2021 – November 2022. Of the 352 DSARs that had been received, 78% were found to have not been responded to within the maximum 3 month extension period and 56% had not been responded to within a year. The ICO has recommended that the Labour Party ensures it has adequate staff resources, complies with the steps in the action plan and delete unused inboxes in order to improve their DSAR compliance.
UK: ICO issue enforcement notice against Surrey Police for Freedom of Information (FOI) failures
The ICO’s investigation found that Surrey Police have “shown a lack of seriousness” about their obligations under the FOI Act 2000, as their compliance with responding to FOI requests has declined from 69% to 54% (with the oldest request in the backlog dating back two years). Surrey Police are now required to provide an action plan detailing how they will improve their compliance rate whilst continuing to clear their backlog of FOI requests.
If you have any questions relating to this article, please reach out to our authors below.
