This month in review:
The month of January brought with it both a new year and new developments and clarity to the data protection world.
In the EU, the EU Commission has provided a decision regarding the draft Regulatory Technical Standards (“RTS”), the European Data Protection Board (“EDPB”) has published new guidelines for consultation, and the Interactive Advertising Bureau (“IAB”) Europe has issued feedback on pay and consent modules.
In the UK, the Data (Use and Access) Bill (“DUAB”) has seen further progression in the House of Lords, the Information Commissioner’s Office (“ICO”) has published figures on its progress during 2024 and its plans for 2025, and the UK Government has opened a consultation regarding ransomware.
Our trends:
We have identified some key themes emerging from our work with clients over the last month. We wanted to share these to provoke some thoughts amongst our readers so please do reach out to us for advice or assistance:
- Supporting our clients with data subject rights requests – Providing advice on how to respond to data subjects, what options are available when handling various rights requests, and assisting in organising both internal processes and providing external resourcing support.
- We have advised clients on both policy updates and implementation, including the requirements of policies to ensure our clients are best protected and compliant with data protection laws. This has included modifying pre-existing policies to meet new needs and developing internal guidance notes to assist our client’s employees to ensure they are processing personal data in an appropriate manner.
- Conducted corporate due diligence on a variety of matters across a range of different businesses, highlighting potential pain-points for the respective buyer or seller, and providing solutions to these issues.
Our contents this month:
- Our events and articles
- General updates
- Adtech and direct marketing
- AI and innovation
- Cyber, breach and ransomware
- Employment and data subject rights
- Data transfers
Our events and articles
Decoding the UK’s AI Opportunities Action Plan
DWF’s Commercial, Regulatory & Data team has produced an article which dissects the UK’s AI Opportunities Action Plan. The Action Plan marks a significant evolution in the UK’s approach to AI and has the potential to impact other laws, such as copyright.
Newsletter Tech Data November
DWF’s France-based data protection team have also produced an article providing updates on recent legal developments within Europe. The article discusses topics such as a CNIL-issued fine for failures to comply with obligations laid down by RGPD, and the Italian data protection authority’s latest comments on ChatGPT and its training methods. The full article is available here.
Data Protection and Cyber Security Breakfast Briefing
On 30 January 2025, we hosted our first Breakfast Briefing of the year, which rounded up the key developments from 2024 and then the team’s predictions for the upcoming year across all aspects of the industry including regulatory changes, cyber risk, privacy, and AI. In case you missed this session, a link to the session can be found here.
Our next Breakfast Briefing will take place on 27 February 2024 and will explore a range of relevant matters, with a focus on the high-profile DSAR challenge in Ashley v HMRC as well as an insight to UK’s new AI developments – The AI Cyber Security Standard. If you are interested in attending, please reach out to your DWF contact, or email us at DPCS@DWF.law.
General updates
UK: Update on the DUAB
Since our last article, the DUAB has now completed its journey through the House of Lords and its first reading in the House of Commons. The DUAB proceeded to the second reading on 12 February 2025. After debating the bill, it has now been sent to the Public Bill Committee which will scrutinise the bill line by line. A report is expected to be delivered to the House of Lords on 18 March 2025.
UK: The ICO outlines strategy on online tracking and reviews cookie usage in 2025
The ICO summarised its key actions of 2024 and outlined its strategy for 2025; focussing its approach to tackle online tracking to ensure individuals can operate with trust. the ICO has also outlined key issues which need to be considered by organisations engaging in online tracking. As part of its guidance, The ICO has specifically provided guidance on ‘consent or pay’ models which highlights the importance that businesses can demonstrate consent is freely given as well as providing factors that organisations need to consider when implementing consent or pay models.
EU: Commission rejects the draft RTS under the Digital Operational Resilience Act (“DORA”)
The EU Commission has rejected the draft RTS on the basis that it exceeded the European Supervisory Authority’s (“ESA”) reach by introducing conditions unrelated to subcontracting as outlined in Article 30(5) of DORA. The draft RTS intended to direct financial entities under DORA when assessing risks associated with subcontracting ICT services for critical or important functions. You can read the full article here.
International: Data protection and privacy laws now in effect in 144 countries
Research conducted by the IAPP has indicated that 144 countries across the world have now enacted data privacy laws, with around 6.64 billion now protected by some form of data privacy legislation. The most recent countries to introduce data privacy laws include Cameroon, the Republic of Moldova and the Vatican City. Countries such as Botswana, Chile, and Vietnam have made notable amendments or replacements to their data privacy laws. Many of these new laws have been enacted to be in line with international standards, such as the EU General Data Protection Regulation (GDPR). The full analysis from the IAPP can be found here.
EU: EDPB publishes guidelines on pseudonymisation for public consultation
On January 17, 2025, EDPB published its new guidelines on Pseudonymisation for public consultation. The EDPB reiterated that pseudonymisation helps to reduce the risk to individuals by making identification more difficult and can help controllers with complying with data protection principles and obligations. The EDPB also stated that pseudonymisation is not fully risk-proof since the personal data can be reversed and so it is still important for controllers to implement adequate safeguards. The EDPB provided guidance to controllers on how to implement pseudonymisation, including choosing safeguards. Lastly, the EDPB expressed the importance of informing individuals about pseudonymisation and how this applies to the controller’s processing of their data and what the impacts may be if their pseudonymised data should it be impacted by a breach.
Please see the following link where public comments can be submitted until February 28, 2025 here.
You can read the full press release here and the guidelines here.
EU: the IAB Europe sends feedback to EDPB on 'consent or pay' models' event
On November 18, 2024, the EDPB conducted an event on 'consent or pay' models. On January 16 2025, the IAB Europe announced that, together with various European data protection authorities, it has submitted feedback setting out their views and key concerns because of the event. Specifically, IAB Europe highlighted the importance of a unified and consistent approach to 'consent or pay' models across Europe and expressed concerns regarding the assessment of 'freely given consent' in the context of 'consent or pay' models.
You can read the full press release here and the feedback paper here.
UK: the Department for Science, Innovation, and Technology (“DSIT”) announces revised data protection fees
On January 16, 2025, the DSIT announced revised data protection fees as a result of a consultation to the ICO which can be found here. Specifically, the data protection fees across all tiers were increased by 29.8%, please refer to the table below setting out the fees.
The following practices were retained:
- the existing three-tier structure, including the applicable criteria for determining fees payable;
- the £5 discount applicable to direct debit payments across all tiers; and
- the current exemptions from the requirement to pay a fee.
|
Tier |
Current fees |
New fees |
|
1 |
£40 |
£52 |
|
2 |
£60 |
£78 |
|
3 |
£2,900 |
£3,763 |
You can read the full press release here.
Adtech and direct marketing
UK: The ICO fines company for unlawful direct marketing communications.
The ICO has fined ESL Consultancy Services £200,000 for its violation of the Privacy and Electronic Communications Regulations (“PECR”). The ICO determined that ESL Consultancy Services failed to obtain valid consent for its direct marketing practices which promote high-interest loans to its subscribers. Additionally, ESL Consultancy Services attempted to obscure the identity of who was sending the messages by utilising unregistered SIM cards. You can read the ICO’s decision in full, here.
UK: High Court rules on standard of consent required for profiling and direct marketing
A claimant stated that Sky Betting and Gaming (“SGB”) collected and used their personal data in an unlawful manner with cookies and targeted marketing. This exacerbated the claimant’s gambling addiction, and they sued for harm, distress, and financial loss. Despite SGB’s argument that the claimant gave valid consent, the court found that:
- Compulsive gambling behaviour compromised the ability to give consent;
- The data subject was not adequately informed of the extensive profiling and marketing.
Full details of the decision can be found here.
AI and innovation
UK: The ICO published its response to Government on economic growth including AI and data transfers
The ICO has responded to a request for proposals to enhance business confidence and augment economic growth. They plan to establish unified regulations for AI products to facilitate responsible innovation and investment whilst safeguarding information rights. The ICO are also in support of the government's efforts to legislate these regulations as a statutory Code of Practice on AI. Additionally, the ICO provided guidance on emerging technologies, including neurotech and cloud computing, and assists in the implementation of AI within the public sector to enhance trust and improve efficiency.
UK: The Government unveils new AI Opportunities Action Plan
On 31 January 2025, DSIT announced the new AI Opportunities Action Plan which is designed to promote growth in both private and public sectors. The plan has a key focus on establishing new AI Growth Zones, a new supercomputer to increase public compute capacity, and a new to team grasp the opportunities of the AI. You can read the full article here.
UK: ICO publishes blog on data protection myths about AI
The ICO highlights the transformative potential of AI in areas like healthcare and public services while addressing common misconceptions about data protection in AI. The ICO emphasises individuals retain control over their personal data, and organisations must be transparent and lawful when using such data for AI development. Contrary to myths, data protection laws apply regardless of intent or whether AI models store identifiable data. The ICO asserts data protection facilitates responsible AI innovation by ensuring compliance with legal obligations and safeguarding rights. The ICO also highlighted its role in monitoring AI developers' compliance and ensuring safeguards, asserting that current data protection laws are adaptable to new technologies like AI. The full article can be found here.
Cyber, breach and ransomware
UK: Home Office launches public consultation on proposals to address ransomware
The Home Office has announced a public consultation which contains three proposals to tackle ransomware threats. The Home Office has proposed: 1) A ban on ransomware payments from public bodies and critical national infrastructure; 2) A ransomware payment prevention regime by supporting the national crime agencies awareness of attacks; and 3) Ransomware incidents to have a mandatory reporting regime. Full details of the Home Office’s proposals can be found here.
EU: DORA becomes applicable to financial entities
On 17 January 2025, DORA became applicable to financial entities within the EU. DORA sets uniform requirements for the security of network and information systems of financial entities, including risk management, incident reporting, and ICT third-party risk management. Moreover, DORA includes rules on the establishment and conduct of the Oversight Framework for ICT third-party service providers to issue collective recommendations and best practices. Alongside this, DORA clarifies the cooperation and enforcement rules among competent authorities. Competent authorities are provided with the power to impose administrative penalties and remedial measures as to be laid down by the Member States. You can read the DORA in full here.
Employment and Data Subject Rights
EU: CJEU clarifies the meaning of excessive requests under the GDPR
On 9 January 2025, the CJEU ruled that data subject access requests cannot been seen as ‘excessive’ on the sole basis of the number of requests. The Austrian Data Protection Authority considered the individual's requests excessive because they received 77 similar complaints from the individual over a period of approximately 20 months. Despite this, CJEU ruled on the definition of 'excessive' GDPR requests, emphasising intent and motive over quantity. The judgement is currently unavailable in English, however a French version of the judgement can be found here.
EU: EDPB releases One-Stop-Shop case digest on right of access
The EDPB has published a case digest on the right of access under Article 15 of the GDPR. The key findings of the case digest highlight the significant role of Article 12 of the GDPR in supporting data subjects' right to access. The digest reveals that most complaints arise from issues with private sector controllers and processors, particularly in the context of social media and commercial activities. Decisions frequently rely on CJEU case law and have recently begun to reference EDPB Guidelines on the right of access.
EU: EDPB adopts 2024 CEF report on challenges to right of access
The EDPB released a report on the Coordinated Enforcement Framework 2024, highlighting challenges and positive compliance in implementing the right of access under the GDPR. The EDPB emphasised the need for greater awareness of Guideline 01/2022 at both national and EU levels, while also identifying seven additional challenges. The report indicated that two-thirds of the participating DPAs rated compliance by controllers as average to high, with best practices such as user-friendly online forms being adopted. Various national DPAs highlighted specific regional challenges and successes, with many echoing the need for improved resources and procedures to handle access requests efficiently.
Michael Ashley v Commissioners for His Majesty’s Revenue and Customs [2025] EWHC 134 (KB)
In Ashley v HMRC, Mike Ashley (the Claimant) brought a case against His Majesty's Revenue and Customs (HMRC, the Defendant) alleging a breach of his data subject access rights under Article 15 of the UK GDPR. The dispute arose from HMRC's handling of Mike Ashley's subject access request (SAR) for personal data related to an inquiry into his 2011/12 tax return. While HMRC conceded to initial delays in providing the data, key issues remained regarding the scope of the SAR, the definition of "personal data" in this context, and the extent of searches HMRC was required to undertake, specifically whether it included data processed by the Valuation Office Agency (VOA). The court was asked to determine whether HMRC had fully complied with its obligations under the UK GDPR in providing copies of all of Mike Ashley's personal data and whether it was justified in withholding certain information under the First Tax Exemption. The High Court judgement ruled the HMRC breached the rights provided to data subjects under Article 15 of the UK GDPR by failing to provide timely access to personal data.
Data Transfers
EU: EDPS reprimands Frontex for unlawful transmission of personal data to Europol
The EDPS reprimanded Frontex for illegal data sharing with Europol, violating EU regulations. Following an audit, the EDPS found that Frontex systematically shared suspects' data without assessing necessity. Frontex ceased this practice and began discussions with Europol to establish criteria for data sharing. The reprimand highlights the importance of compliance with EU Regulation.
EU: CJEU orders the Commission to pay €400 for unlawful transfer of personal data
The CJEU ruled that the EU Commission's data transfer to Meta Platforms was unlawful, ordering €400 compensation. The judgment found that personal data was transferred without appropriate safeguards, violating Article 46 of the Regulation. The Commission's appeal was partially dismissed, and compensation was awarded for non-pecuniary damage. The CJEU clarified that the transfer of data to AWS was compliant, but the transfer to Meta Platforms was not. This case underscores the importance of compliance with data protection laws.
If you have any questions relating to this article, please reach out to our authors below.
Meet the Team - Laura Welch, Associate
Laura is an Associate in DWF's Data Protection and Cyber Security Team in Manchester. She has advised a range of global clients across different industries such as media and technology, pharmaceutical, health care, sports, and retail services. She is a dual-qualified lawyer having trained and practiced in the United States for eight years before qualifying as a solicitor in England and Wales in 2019. Having done both contentious and non-contentious work.
Laura spent several years working as a US criminal prosecutor before moving into private practice where she litigated both criminal and civil matters. Upon transitioning her career to the UK, Laura worked in-house for a highly successful national UK company operating in a technology-driven, data-intensive setting where data protection and industry-specific regulatory issues were vital to the business. Whist working in-house, she developed a passion for data protection.
Laura has advised on: the data protection elements of commercial contracts; compliance with UK, EU and Global Privacy laws; supporting client and DWF-provided Data Protection Officers with a range of queries; complex data mapping and contentious Data Subject Rights Requests/DSARs; drafting Data Protection Impact Assessments, privacy and cookies policies and other necessary data protection policies and procedures; cross border transfers of data in and out of the EEA and the United Kingdom; data breaches; and supported on corporate due diligence projects from a data protection perspective.
Written by JP Buckley, Kelly Marum, Stephen Kewley and Amandeep Kaur Sokhi.
