• AU
Choose your location?
  • Global Global
  • Australian flag Australia
  • French flag France
  • German flag Germany
  • Irish flag Ireland
  • Italian flag Italy
  • Polish flag Poland
  • Qatar flag Qatar
  • Spanish flag Spain
  • UAE flag UAE
  • UK flag UK

DWF Data Protection Insights November 2024

25 November 2024

Here is our round-up of the top data protection and cyber security stories looking back at October 2024, together with practical advice on what we are seeing in practice.

Last month in review:

Last month, there were new legislative developments in the EU (such as the first Implementing Regulation on the NIS 2 Directive and the adoption of the Cyber Resilience Act) and in the UK (such as the introduction of the new Data (Use and Access) Bill to Parliament).

In addition, there were several rulings from the Court of Justice of the European Union ("CJEU") on key issues such as the assessment of non-pecuniary damages, legitimate interest as a lawful basis under Article 6 of the GDPR and health data. The European Data Protection Supervisor ("EDPS") also published various Opinions and guidance and the European Commission ("EC") published its first report on the EU-US Data Privacy Framework ("DPF").

Meanwhile, the ICO has continued to take enforcement action against organisations for unlawful direct marketing practices.

Our trends:

We have identified some key themes emerging from our work with clients last month. We wanted to share these to provoke some thoughts amongst our readers so please do reach out to us for advice or assistance:

  • Conducting corporate due diligence exercises in pre-sale acquisitions from a data protection perspective;
  • Continuing to support our clients with Data Subject Access Requests ("DSARs"); and
  • Supporting our clients with privacy transformation projects to improve their overall compliance levels.

Our contents this month: 

Our events and articles

Back to top >

Data Protection and Cyber Security Breakfast Briefing

On 31 October 2024, we hosted our latest Breakfast Briefing, which focused on understanding DSARs and providing insights into the strategies and tools that businesses can use to manage DSARs effectively. In case you missed this session, you can read our blog here.

Our next Breakfast Briefing will take place on 28 November 2024 and will explain DWF's innovative and recently launched Data Protection Extend & Accelerate programme. This great value service offering has been specifically designed to help support businesses through their everyday challenges, whether there has been an influx in data protection workloads or pressure from a lack of available resource, for example.

If you are interested in learning about how your organisation could benefit from this service in a cost-effective way, please let us know by registering your interest in attending this Breakfast Briefing with your usual DWF Data Protection & Cyber Security contact or by sending an email to dpcs@dwf.law.

France technology and data protection insights

Read the latest news of interest in the areas of technology and data in France here

General updates

Back to top > 

UK: Data (Use and Access) Bill introduced to Parliament

The Bill, with its second reading on 19 November 2024, proposes several amendments to the UK data protection framework, including:

  • Several "recognised legitimate interests" for data processing;
  • Setting conditions under which secondary processing of personal data is compatible with the original purpose that it was collected for;
  • New rules for DSARs, cookie consent compliance and automated decision making; and
  • A "data protection test" to approve Restricted Transfers where the level of protection provided by the recipient country is not "materially lower" than those provided in the UK.

EU: CJEU publishes judgement on compensation for non-pecuniary damages

On October 4, 2024, the CJEU delivered a key ruling in Case C-507/23, addressing compensation for non-pecuniary damages under the GDPR:

  • A breach alone does not automatically constitute “damage” under Article 82(1) GDPR, which requires evidence of actual harm to data protection rights.
  • An apology could be a valid form of compensation for non-pecuniary damage if it adequately addresses the harm suffered.
  • The controller’s motivation cannot justify lesser compensation, as the focus should remain on the harm caused to the data subject.

This ruling clarifies that non-pecuniary damages under GDPR require demonstrable harm, but non-financial remedies such as apologies may suffice depending on the circumstances.

EU: CJEU publishes judgment on "legitimate interest" as a lawful basis

The judgment relates to a case in which a Dutch sports federation ("KNLTB") disclosed personal data of its members to two of its sponsors in order to post promotional leaflets and conduct a telephone call campaign, in return for remuneration. The CJEU held that a commercial interest may be necessary for the purposes of achieving a legitimate interest on the condition that the processing is strictly necessary in order to do so, the fundamental rights and freedoms of those affected are not overridden by such interest and the legitimate interest being pursued is lawful.

EU: EDPB adopts Opinion on obligations following from the reliance of processors and sub-processors

  • In its Opinion, the EDPB conclude that data controllers should:  Ensure its processors and sub-processors provide sufficient guarantees to implement appropriate measures for complying with the GDPR (including verification of their identity and the details provided);
  • Demonstrate the steps it has taken to verify that its processors and sub-processors are GDPR compliant (i.e. the "Accountability" principle);
  • Maintain an up-to-date list of the details of the processors and sub-processors used; and
  • Retain ultimate control over the appointment of sub-processors.

EU: EDPB adopts Statement on the Draft regulation laying down additional procedural rules for the enforcement of the GDPR

In the Statement, the EDPB largely supports the amendments made by the European Parliament and the EC, which include:

  • Lead supervisory authorities being able to opt out from enhanced co-operation (in straightforward cases);
  • Providing a legal basis for supervisory authorities to conduct preliminary vetting of complaints;
  • Facilitating amicable settlements in an attempt to resolve issues without formal enforcement action being required, and providing a legal basis to do so; and
  • Introducing additional deadlines for supervisory authorities when dealing with complaints (although the EPDB highlights that deadlines should be realistic with flexibility to some extent, where appropriate and required in complex cases).

EU: EDPB publishes Guidelines on the Technical Scope of Article 5(3) of the ePrivacy Directive

Article 5(3) of the ePrivacy Directive prohibits the "storage" of or "gaining of access" to "information" stored, in the "terminal equipment" of a "subscriber or user" unless they are provided with "clear and comprehensive information" about the purposes of doing so and have provided their consent. EDPB's new Guidelines clarifies what these terms mean in a practical sense and applies this analysis to several use cases, including URL and pixel tracking, local processing, IP tracking, Internet of Things reporting and unique identifiers. 

EU: CJEU publishes judgment on health-related data

On 4 October 2024, the CJEU issued a judgment on Case C-21/23 concerning whether distribution of pharmacy-only medicines online, which required customers to provide certain information about themselves and the product being purchased, constituted both an unfair commercial act under German competition legislation and a breach of the GDPR in the absence of explicit consent for the processing of special category data. The CJEU ruled that:

  • The GDPR does not prohibit national laws that allow competitors to bring legal proceedings against competitors for data protection law infringements as unfair commercial practices;
  • The information provided by customers when purchasing the product online constitutes health data. Therefore, retailers must inform the customers, in an accurate, comprehensive and easily understandable manner, the purposes for which their special category data is processed and obtain their explicit consent for such processing.

UK: New data protection audit framework launched to help organisations improve compliance

On 7 October 2024, the ICO launched a new audit framework designed to help organisations comply with key requirements under data protection legislation. The framework centres around several key areas: accountability, records management, information & cyber security, training and awareness, data sharing, data requests, personal data breach management, AI and age-appropriate design.

EU: EDPS publishes Opinion on Europol's proposal rules on retention periods

In its Opinion, the EDPS made 33 recommendations (some of which it "deems necessary" for Europol to implement) which include:

  • Explaining that only personal data which is processed in the public interest or for scientific or historical research purposes will be stored for longer periods;
  • Being more prescriptive on the specific retention period (e.g. clarifying the start and end dates or the 'trigger' that determines this) and the justification for this; and
  • Assessing certain processing activities to understand whether a shorter retention period could be justified. 

Adtech and direct marketing

Back to top > 

UK: ICO fines three companies for unlawful direct marketing communications

  • Quick Tax Claims Limited fined £120,000 – for sending over 7.8 million unlawful text messages in a single month without valid consent, prompting nearly 67,000 complaints, with 93% of recipients stating there was no option to opt out.
  • Werepair UK Ltd fined £80,000 – for making 42,688 unsolicited calls to individuals who had explicitly opted out from receiving marketing communications, which it has appealed.
  • Service Box Group Limited fined £40,000 – for making 5,361 calls to individuals who had explicitly opted out from receiving marketing communications.

AI and innovation

Back to top > 

EU: European Artificial Intelligence Office hosts kick-off Plenary for the General-Purpose AI Code of Practice

The Plenary, which involved almost 1,000 attendees, marks the start of the process of drafting the first Code of Practice for general-purpose AI models under the new EU AI Act. The final version of the Code of Practice is expected to be published in April 2025.

Cyber, breach and ransomware

Back to top > 

EU: EC adopts the first implementing Regulation on cybersecurity of critical entities and networks under the NIS 2 Directive

The  HYPERLINK "https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L_202402690" Implementing Regulation details the technical and methodological requirements for cybersecurity risk management measures that must be adopted by certain service provider to ensure network and information systems are protected by an appropriate level of security, and provides guidance on "significant" incidents (which require notification to the relevant authorities). The Implementing Regulation was published on the EU's Official Journal on 18 October 2024 and entered into force 20 days later (i.e. 7 November 2024).

UK: ICO publishes a blog on the devastating impact of data breaches

The ICO's blog highlights that those impacted by data breaches often feel unheard and that the harm they suffer is not taken seriously or is overlooked. Figures published by the ICO reveal that 55% of adults have had their data lost or stolen and one of the most troubling revelations is that 32% of those affected by breaches find out through the media opposed to hearing directly from the affected organisation themselves. The ICO has therefore issued a warning that organisations must do better to understand the impact data breaches can have on individuals and stop the "ripple effect" – in the ICO's words, "it is vitally important to acknowledge what has happened, be human in your response and commit to making sure it doesn’t happen again".

EU: Counsel of the EU adopts the Cyber Resilience Act ("CRA")

On 10 October 2024, the EC announced it had adopted the CRA, which aims to improve cybersecurity within the digital services industry. It applies to most products that have digital components (with some exceptions) and imposes several obligations on manufacturers, importers and distributions and also requirements for the products themselves.

Data Transfers

Back to top > 

EU: EC publishes its first report on the EU-US DPF

Following its request for feedback earlier this year, the EC has published its first periodic review of the adequacy of the EU-US DPF. In summary, the EC is content that the US authorities have put in place the necessary measures to ensure the EU-US DPF operates effectively and will conduct its second review in three years' time, although in the meantime it will closely monitor legislative developments.

If you have any questions relating to this article, please reach out to our authors below.

Further Reading