DWF Data Protection Insights November and December 2023

This month in review:

We have combined the November and December updates for a bumper Insights report!

The key themes this month focus on regulatory matters, in relation to direct marketing failures and the use of tracking technologies, and updates to the mechanisms used for international data transfers. There are also lots of new legislative updates in the UK and EU, including the introduction of the draft Artificial Intelligence (Regulation) Bill and the adoption of the Data Act by the European Council.

Our trends

Also this month, we've identified some key themes of what our clients are asking us. We thought we'd share these to provoke some thoughts amongst readers:

• The first relates to data subject access requests from employees, former employees or as a result of a data breach, where we can help with delivery, training, strategy and process.
• The second is to provide insightful training to improve confidence in compliance with and awareness of data protection laws, increasingly a factor assessed in regulatory action. We can provide impactful in-person training as well as developing engaging e-learning training.
• The third is regulating AI – whether in contracts, dealing with security implications, or putting in place policies and governance. 

Our contents this month:

• Our events and articles
• General updates
• Adtech and direct marketing
• AI and Innovation
• Cyber, breach and ransomware
• Employment and Data Subject Rights
• Data Transfers
• Public sector

Our events and articles

Back to top >

Data Protection & Cyber Security Breakfast Briefings

Throughout 2024, we will be running a series of Data Protection & Cyber Security Breakfast Briefings where we will be discussing recent developments – with our first January briefing at full capacity in our London office. If you are interested in future briefings please let us know. 

The role of Generative AI in cybersecurity and privacy: blog by Andrew Jacobs and Claire Bowler

Check out Andrew Jacobs’ and Claire Bowler’s blog “The role of Generative AI in cybersecurity and privacy”, which explores the cybersecurity and privacy considerations for using Generative AI applications in the insurance industry.

SEC Cybersecurity Rule 2023 – new transparency rules for corporate governance and incident response: Stewart Room’s blog

Check out Stewart Room’s blog “SEC Cybersecurity Rule 2023 - new transparency rules for corporate governance and incident response”, which details how the Securities and Exchange Commission (“SEC”) deals with the reporting of material cybersecurity incidents.

Ransoms and Chief Information Security Officers (“CISOs”) – charting the best course through treacherous waters: Stewart Room’s blog

Check out Stewart Room’s blog “Ransoms and Chief Information Security Officers (CISOs) – charting the best course through treacherous waters”, which highlights the distinction between a ‘ransomware attack’ and a ‘ransom attack’ and describes considerations for a CISO in making ransom payment decisions.

General updates

Back to top >

UK – Information Commissioner warns UK's top websites to make cookie changes

On 21 November 2023, the Information Commissioner ("IC") warned that he has contacted many of the UK's most visited websites who are not using cookies in compliance with data protection laws with his concerns. The IC has given these organisations 30 days to comply with the law, otherwise they face enforcement action. More recently, the IC released to the public a copy of the letter sent to the operators of these websites, which details the steps companies need to take to address the non-compliance.

EU – The EDPB Data Protection Guide for small business is now available

The European Data Protection Board (“EDPB”) has launched its guide for small business. In its toolkit, the EDPB provides basic and easy-to-use guidance on how small business can comply with the General Data Protection Regulation. The site provides an overview on understanding data protection basics, respecting individual's rights, being compliant, securing personal data, and responding to a data breach.

EU – EDPB provides clarity on tracking techniques covered by the ePrivacy Directive

On 14 November 2023, the EDPB adopted Guidelines on the technical scope of Article 5 (3) of the ePrivacy Directive ("Guidelines"). With the emergence of new tracking technologies, the Guidelines aim to provide legal certainty to data controllers and individuals as to which tracking techniques are covered by the ePrivacy Directive.

The Guidelines are open for public consultation until 18 January 2024.   

EU – European Council adopts final version of the Data Act

Following adopting by the European Parliament, on 27 November 2023, the European Council adopted the Data Act (“Act”) which aims to "ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all". 

Some of the key areas of the Act include: reinforcing data portability and data sharing measures to allow cheaper aftermarket and other data-driven innovative services; rules governing the processing of data shared with third parties; methods to rebalance the negotiation powers of small and medium businesses to prevent contractual imbalances and allowing end users to effectively switch between cloud and edge service providers. EU member states are responsible for defining rules on penalties in relation to this Act.

The Act will come into force on the 20^th day after it has been published in the EU’s official journal, although most of its provisions will not be applicable until 20 months after it becomes law by way of a transition period.

UK - UK DPDI Bill goes through third reading

On 29 November 2023, the Data Protection and Digital Information Bill (“DPDI Bill”) (no longer No.2!) had a third reading in the House of Commons where numerous proposed amendments were discussed – with some representing significant changes to the current UK data protection regime.

Examples of some of the proposed changes include: measures to tackle benefit fraud (such as new powers to request data from third parties and regular checks on bank accounts to identify when the benefit eligibility threshold has been exceeded); a ‘data preservation process’ requiring social media companies to keep relevant personal data which could be used in investigations or inquests into child suicide; and the ability for Counter Terrorism Police to keep biometric information in certain circumstances about individuals who pose a potential threat to national security. These proposed amendments are currently being discussed in Parliament as the DPDI Bill progresses through the House of Lords.

EU – CJEU clarifies imposition and calculation of fines under GDPR

On 5 December 2023, the Court of Justice of the European Union (“CJEU”) held that a data controller can only receive an administrative fine for infringing the GDPR where such infringement was committed ‘wrongfully’ – which includes both intentionally and negligently.   

EU – CJEU regards possible misuse of personal data as likely to constitute non-material damage

On 14 December 2023, the CJEU made a preliminary ruling clarifying the conditions for awarding compensation for non-material damage where personal data held by a public agency are subject to a cyberattack. The CJEU determined as follows:

• Unauthorised disclosure of or access to personal data does not, by itself, mean that the data controller had not implemented appropriate protective measures. The courts must assess the appropriateness of those measures in a concrete manner;
• The data controller must prove that the protective measures it had implemented were appropriate;
• Where unauthorised disclosure of or access to personal data had been committed by a third party, the data controller may need to compensate the data subjects who have suffered damage, unless it can prove it is not responsible for the damage; and
• Possible misuse of personal data by a third party due to a GDPR infringement is capable, in itself, of constituting ‘non-material damage’.

Adtech and direct marketing

Back to top >

UK – Information Commissioner's Office issues three fines totalling £170,000 for unlawful direct marketing           

Digivo Media Ltd (“DML”), MCP Online Ltd (“MCP”) and Argentum Data Solutions Ltd (“ADSL”) have been fined a combined total of £170,000 by the Information Commissioner’s Office (“ICO”) for contravening the Privacy and Electronic Communications Regulations 2003. DML was fined £50,000 for sending more than 415,000 text messages without valid consent; MCP was fined £55,000 for making unsolicited financial services calls about pensions (20,939 of which were made to individuals registered with the Telephone Preference Service); and ADSL was fined £65,000 for sending and allowing third parties to send more than 2.3 million direct marketing text messages without valid consent.

AI and innovation

Back to top >

UK – UK and US Develop Global guidelines for AI Security

On 27 November 2023, the UK and US launched the first guidelines for Artificial Intelligence (“AI”) security, which have already been endorsed by 15 countries, including Canada, Australia and Nigeria. The guidelines are designed to assist providers of AI systems to build their software in line with the ‘secure by design’ principles.

UK – Draft AI Bill introduced UK Parliament

The Artificial Intelligence (Regulation) Bill was introduced into the House of Lords on 22 November 2023 and is currently at the Second Reading stage. The purpose of the Bill is to provide rules for AI and for connected purposes. The Bill has two focuses: firstly, the consideration of the principles of safety, security and robustness at the time AI is created; and secondly, the obligations imposed on the Secretary of State to make further rules regarding the designation of an AI officer, methods to provide and withhold consent and transparency when supplying an AI product.

Cyber, breach and ransomware

Back to top >

UK – UK and Republic of Korea issue a warning about DPRK State-linked cyber actors

On 23 November 2023, the UK Government's National Cyber Security Centre ("NCSC") and the Republic of Korea's National Intelligence Service ("NIS") issued a joint advisory detailing how cyber actors linked to the Democratic People's Republic of Korea ("DPRK") carry out software supply chain attacks. This follows from the recent announcement of the new Strategic Cyber Partnership between the UK and the Republic of Korea to tackle cyber threats.

A statement from the NCSC notes that the cyber actors are leveraging zero-day vulnerabilities in third-party software to gain access to break into supply chains. The NCSC and NIS believe these attacks are likely to increase, and therefore encourage organisations to follow the recommended actions in the joint advisory to protect themselves.

UK – NCSC says cyber-readiness of UK's critical infrastructure isn't up to scratch

In the National Cyber Security Centre's (NCSC) Annual Review, NCSC has admitted that the UK's level of cybersecurity resilience in the UK's most critical areas isn't sufficient. The NCSC called for a better baseline of security and said they plan to continue forming relationships to ensure attack data and learnings are shared.

UK – ICO fines Ministry of Defence for Afghan evacuation data breach

On 13 December 2023, the ICO fined the Ministry of Defence (“MoD”) for inadvertently disclosing the details of 245 people seeking to relocate to the UK after the Taliban took control of Afghanistan in 2021. MoD emailed a distribution list of Afghan nationals eligible for evacuation using the ‘To’ field, meaning the recipients could see each other's personal information, with 55 people having thumbnail pictures connected to their email profiles. Two recipients subsequently ‘replied all’ to the MoD’s email, with one of them revealing their location.

The MoD were initially fined £1m, however, this was reduced to £700,000 to reflect the MoD’s remedial actions, and further reduced to £350,000 under the ICO’s public sector approach.

Employment and Data Subject Rights

Back to top >

UK – The CJEU rules that the controller must provide a data subject with a first copy of their medical record free of charge

The respondent in this case requested a copy of his medical records from the appellant. The appellant originally refused this request unless the respondent agreed to cover the costs. The court at first instance held in favour of the respondent, which was confirmed by the CJEU upon appeal. In its judgement, the CJEU considered several questions about the interpretation of the Article 12 and Article 15 of the EU GDPR. 

UK – ICO publishes draft guidance on employment practices and data protection

The ICO has published two new pieces of draft guidance - ‘keeping employment records’ and ‘recruitment and selection’ – which aim to help employers, and recruiters who act on their behalf, comply with their obligations under data protection law.

Both pieces of guidance are open for public consultation until 5 March 2024.

Data Transfers

Back to top >

UK – International Data Transfers Expert Council releases report on international data transfers

On 20 November 2023, the UK Government's International Data Transfers Expert Council ("Council") submitted their report on the challenges to a sustainable and scalable approach to international data transfers and proposed solutions ("Report") to the Department for Science, Innovation and Technology ("DSIT") for consideration. The Report sets out the Council's findings and makes recommendations for the DSIT to promote and facilitate the development of a global solution on international data transfers.

UK – ICO publishes guidance on transfer risk assessments for US data transfers

Under data protection law, an organisation must carry out a Transfer Risk Assessment (“TRA”) where it is making a restricted transfer of personal data and relies on an appropriate safeguard or exception. On 15 December 2023, the ICO published guidance on how TRAs should be completed, with a particular focus on UK-US data transfers. The guidance also covers the effect of the recent introduction of the UK Extension to the EU-US Data Bridge, which removes the need for appropriate safeguards or exceptions to certified US recipients.

UK – ICO introduces new guidance on the UK Binding Corporate Rules Addendum

On 19 December 2023, the ICO published guidance on how organisations can apply for bespoke binding corporate rules (“BCR”), as an appropriate safeguard, using the UK BCR Addendum (“Addendum”). The Addendum can be used in its standard form as published by the ICO, or organisations can tailor it and submit it to the ICO for approval.

EU – European Commissioner announces latest international data transfer plans

At the IAPP Europe Congress held on 16 November 2023, the European Commissioner (“EC”) announced that a new adequacy decision on the transfer of data between the EU and an “international organisation” should soon be announced, also revealing that discussions are underway regarding a California adequacy decision under the California Consumer Privacy Act. The EC also stated the 11 existing adequacy decisions are currently being evaluated and a report is expected to be published “in the coming weeks”.

Public sector

Back to top >

UK – ICO reprimands council for disclosing domestic abuse victim’s details to ex-partner

The ICO has issued a reprimand to Charnwood Borough Council after it sent a letter detailing the new address of the victim to her previous address – an address which she shared with her ex-partner. The ICO has since called on other organisations to learn from this incident and provided examples of some of the steps that could be taken to prevent the same mistake happening again, which include putting alerts on vulnerable service user files, having a clear and proper process in place for managing address changes, and ensure staff receive adequate data protection training including regular refreshers.

UK – Hospitals urged to improve data protection standard following incident at NHS Fife

The ICO concluded that NHS Fife did not have appropriate security measures for personal information and issued them with a reprimand. This conclusion came after an unauthorised individual was able to walk into NHS Fife premises and access the personal information of 14 patients.

If you have any questions relating to this article, please reach out to our authors below.