DWF Data Protection insights January 2024

This month in review:

This month, the key themes focus on regulatory matters, particularly in relation to the use of artificial intelligence, which is fast developing. There have also been updates from the European Commission, which has been soliciting feedback on the EU GDPR as we approach the 6 year mark since it came into effect, and confirmed it will be retaining all existing adequacy decisions. 

There are also lots of new legislative updates across the UK and EU, including the EU Data Act, which is now in force, and the publication of the draft codes of practice from OFCOM, as the regulator for the Online Safety Act 2023. 

Our trends 

Also this month, we've identified some key themes of what our clients are asking us. We thought we'd share these to provoke some thoughts amongst readers so please do reach out to us for advice or assistance:

• The first relates to cookie compliance audits, including the review of cookie policies and consent statements, which is a hot area for UK and EU regulators. Ask James Drury-Smith or JP Buckley for more details.  
• The second relates to data subject access requests from employees, former employees or as a result of a data breach, where we can help with delivery, training, strategy and process. Ask JP Buckley for more details.
• Third is our insightful analytics into your organisation's confidence to deal with the specific data protection and cyber security challenges it faces. We have a proprietary methodology for assessing this, enabling you to see where you need to take targeted intervention to reduce the greatest risks applicable to the unique characteristics of your organisation. Ask JP Buckley for more details.

Our contents this month:

• Our events and articles
• General updates
• Adtech and direct marketing
• AI and Innovation
• Cyber, breach and ransomware
• Data Transfers
• Public sector

Our events and articles

Back to top >

Data Protection & Cyber Security Breakfast Briefings 

We held our first Data Protection & Cyber Security Breakfast Briefing at our London office on 31 January and it was a huge success! Hosted by Stewart Room, we discussed the UK and EU developments in cyber security law, and the increasing disparity between them, giving rise to different risks. 

We will be hosting a series of these Breakfast Briefings throughout 2024.If you are interested in attending please let us know.

We have expanded – meet our new Data Protection Extend & Accelerate Team!

We have just launched our new Data Protection and Cyber Security team – Data Protection Extend & Accelerate, who are based in our Warsaw office, but integrated into our UK team. This new team comprises lawyers who can be your secondees. They have received bespoke and expert training, focusing on the typical in-house challenges our clients may face, and will provide flexible resource to support with managing your data and cyber needs. View our flyer for more details or get in touch with the author of this insight.

Consumer Trends 2024: The use of facial recognition in the Retail sector 

Check out Stewart Room's and Tughan Thuraisingam’s insight featuring in our Global Consumer Trends 2024: The use of facial recognition in the Retail sector, which explores the challenges retailers face in this contentious area and how they can manage them effectively. 

Privacy considerations for schools from a cyber incident

James Manari’s article “Privacy considerations for schools from a cyber incident” explores the impact cyber incidents have on schools and what further considerations schools must take if they fall victim to a cyber incident. 

General updates

Back to top >

EU – The Data Act enters into force 

On 11 January 2024, the Data Act entered into force and will become applicable on 12 September 2025. The Data Act aims to create fairness in the digital world and is an integral part of the European data strategy. Some of the new rules that we will see include:

• Greater control over data by users – qualified ‘data holders’ will be required to share data with third parties through ‘connected products’, ‘related services’ and ‘virtual assistants’, giving users more control whilst preserving trade secrets.
• Better access to data for public sector bodies – in some cases, public bodies can request access to, and use, data held by private sector bodies if needed to respond to a public emergency.
• Protection from unfair terms – businesses will be protected against unfair terms that are unilaterally imposed on them. 
• Efficient service switching – new obligations to allow customers to easily switch between data processing services, which will eventually become free of charge.
• Safeguards for the transfer of or access to non-personal data – providers of data processing services will be required to implement appropriate safeguards (e.g. having an international agreement in place) to prevent unlawful access by third countries.

EU - Google Cloud to end data transfer fees

Google Cloud have announced they will be removing exit fees for any customers who leave their cloud services. Egress fees, fees incurred by regular or irregular transfers from their services will not be removed, however, parties that wish to leave their services completely will not be subject to an exit fee. Google Cloud are the first hyperscale provider to take such action, which coincides with a time when regulators worldwide are reviewing business practices that appear to restrict user options to leave certain companies' services.

UK – Information Commissioner’s Office ("ICO") issues a statement in response to the UK Parliament’s facial recognition inquiry

Following the ICO’s investigation into live facial recognition technology in December 2023, the ICO has issued a statement in response to the UK Parliament’s Justice and Home Affairs Committee letter. The ICO has acknowledged that this technology “can bring benefits in helping to prevent and detect crime”, it is concerned that “it relies on processing large amounts of sensitive personal data” and that’s why its use is strictly controlled. 

EU – European Data Protection Board ("EDPB") adopts the second Coordinated Enforcement Framework ("CEF") report on the Designation and Position of Data Protection Officers ("DPOs")

On 16 January 2024, the EDPB adopted its second CEF report focusing on the designation and position of DPOs. 25 European supervisory authorities investigated and assessed the role of DPOs to assess its effectiveness following the implementation of the EU GDPR in 2018. Whilst many of the results were positive, the report identified some challenges faced by DPOs such as:

• In some cases, no DPO was appointed but should have been. 
• A lack of resources available to DPOs from data controllers and data processors.
• A lack of knowledge or training of the DPO. 
• Some DPOs were not fully or explicitly entrusted with the tasks required by the EU GDPR.
• Lack of independence in their role as a DPO.
• Lack of reporting by DPOs to senior management. 
• The need for further guidance from supervisory authorities to address the challenges identified by the report.

UK – Updates following the enactment of the Online Safety Act 2023 ("OSA")

1. ICO launches a new campaign to promote sharing data to safeguard children 
   • Following the enactment of the OSA, the ICO has announced it will be partnering with education, law enforcement and social service organisations as part of its new ‘Think. Check. Share.’ campaign to help organisations share personal data safely to protect children and young people from harm. The ICO has also created a free toolkit containing a range of resources, which organisations can use to promote responsible data sharing and increase confidence of doing so in the workplace.
2. ICO publishes its updated opinion on age assurance for the Children’s Code
   • The ICO has also recently published its updated opinion, giving organisations clarity on their age assurance obligations to prevent children from accessing adult, harmful or otherwise inappropriate consent whilst online.
3. The Office of Communications (OFCOM) launches consultation on proposed codes of practice
   • On 30 January 2024, OFCOM announced it had launched a consultation on the proposed codes of practice on how online service providers should meet their new obligations under the OSA to protect people from illegal harms online. The draft codes of practice are available to view as Annexes via the above link. The consultation will remain open for comments until 5pm on 23 February 2024. In discussing this during a presentation, there are areas that require clarification – so if you're affected do read through and provide consultation responses. 

EU – The European Commission ("EC") solicits feedback on the EU GDPR

The purpose of the EU GDPR is to protect the fundamental right to data protection, and it sets out the rights of individuals in the EEA. As the main piece of EU legislation related to data protection, it also imposes obligations on organisations and businesses that process the personal data of people in the EEA.

The EC has announced an initiative that will examine and report on how the EU GDPR has been applied over the last six years, based on feedback it receives from registered and approved participants. The EC’s report will add to a similar report that was published in 2020.

Spain – AEPD publishes guide on audience measurement cookies ("AMCs")

AEPD, the Spanish data protection authority, has published a guide on the use of cookies related to audience measurement tools. The guidance states AMCs may be used to gather performance statistics or website traffic details, but they must only produce anonymous statistical data and must not be compared to other processing operations or transmitted to a third party. Strictly necessary AMCs, such as page load time statistics and statistics on user actions, are exempt from requiring consent on the condition that the minimum guarantees are implemented. However, it is important to note that cookies which reuse data for other purposes will still require valid consent to be obtained. The guide can be accessed here (it has only been released in Spanish, however, we do have a team in Spain who would be delighted to help). 

UK – UK-Japan Digital Partnership progress and planned initiatives

The progress and future initiatives of the Partnership have recently been examined. The Partnership was launched on 7 December 2022 and is based on the shared democratic and societal values of the two nations such as the protection of human rights and fundamental freedoms, and the protection of individuals’ privacy and personal data. A non-exhaustive list of the topics considered include: the upcoming research into data flows related to the development and use of Artificial Intelligence (AI); the Partnership’s on-going collaboration to ensure safe and trusted data flows between the two countries are maintained and continuously improved; and the issues regarding the digital AI and Zero Trust Architecture policies.

EU – EDPB launches website auditing tool for testing compliance

An auditing tool to help analyse whether websites are compliant with the law has been launched by the EDPB. The tool is accessible to both legal and technical auditors at data protection authorities, controllers and processors. The tool is free to use and is available to download here.

EU – European Data Protection Supervisor ("EDPS") publishes opinion on temporary derogation from ePrivacy Directive to combat child sexual abuse material

In its opinion, the EDPS recommends the proposed regulation to extend the temporary derogation from certain provisions of the ePrivacy Directive to combat child sexual abuse online is not adopted until the necessary safeguards have been introduced to protect the fundamental rights and freedoms of individuals.

Adtech and direct marketing

Back to top >

UK – ICO issues 4 fines totalling £440,000 for illegal direct marketing activities

The ICO has fined two home improvement companies a total of £250,000 for making illegal marketing calls, a food delivery company £140,000 for sending 80 million spam messages in a 7-month period, and a financial services company £50,000 for sending tens of thousands of spam text messages without valid consent, all of which contravene the Privacy and Electronic Communications (EC Directive) Regulations 2003. 

AI and innovation

Back to top >

UK – ICO launches a consultation series on generative artificial intelligence ("AI")

The first generative AI consultation, which remains open until 1 March 2024, examines how generative AI models can be lawfully trained and focuses on legitimate interests as the lawful basis for processing personal data under Article 6 of the UK GDPR. Future ICO consultations on the accuracy of generative AI outputs are expected to be launched throughout the first half of 2024. 

International - The World Health Organization ("WHO") releases guidance on AI ethics and governance for large multi-modal models ("LMMs")

In its new guidance, the WHO identifies the risks and potential benefits of using LMMs within the healthcare industry and outlines over 40 recommendations to be considered by governments, technology companies and healthcare providers to ensure they are used appropriately. The WHO have provided five broad applications where this type of AI can be used for health:

• Diagnosis and clinical care, such as responding to patients’ written queries;
• Patient-guided use, such as for investigating symptoms and treatment;
• Clerical and administrative tasks, such as documenting and summarising patient visits within electronic health records;
• Medical and nursing education, including providing trainees with simulated patient encounters; and
• Scientific research and drug development, including to identify new compounds.

UK – the Central Digital and Data Office ("CDDO") publish generative AI framework 

On 18 January 2024, the CDDO published the generative AI framework for civil servants and employees of His Majesty’s Government. The framework defines 10 common principles to follow to ensure generative AI is used safely and responsibly within the Government:

• Principle 1: You know what generative AI is and what its limitations are;
• Principle 2: You use generative AI lawfully, ethically, and responsibly;
• Principle 3: You know how to keep generative AI tools secure;
• Principle 4: You have meaningful human control at the right stage;
• Principle 5: You understand how to manage the full generative AI life cycle;
• Principle 6: You use the right tool for the job;
• Principle 7: You are open and collaborative;
• Principle 8: You work with commercial colleagues from the start;
• Principle 9: You have the skills and expertise that you need to build and use generative AI; and
• Principle 10: You use these principles alongside your organization's policies and have the right assurance in place.

EU – EC developments regarding the use of AI

1. EC announces the establishment of the European AI Office 
   • AI technology and its implementation into the consumer markets is fast evolving and it offers many potential benefits to society. However, it also poses heightened risks to individuals, especially in relation to the use of their personal data. Given the rapid development of AI regulations in the EU, the EC has announced its intention to open an internal AI office within the Commission to function as a foundation for a single governance system dedicated to ensuring and enforcing AI related legislation in a harmonised and effective manner. Furthermore, the AI Office will oversee the advancements in AI technology, foster a relationship with the scientific community and have a pivotal role in investigating and testing emerging AI technology. 
2. EC adopts its own approach on development and use of AI
   • In preparation of the EU AI Act, the EC has recently announced how it will internally develop and use lawful, safe and trustworthy AI. Its approach will involve:
     • Developing internal guidelines for its own staff who are involved in the use, development or procurement of AI systems;
     • Using a risk-based approach, assessing and classifying what AI systems it currently uses and those that it intends to use in the future;
     • Not using AI systems that are incompatible with European values or represent a threat to the security, safety, health and fundamental rights of people; and 
     • Implementing organisational structures to fulfil its obligations.

UK – British Standard Institution ("BSI") launches guidance to support responsible AI management

On 16 January 2024, the BSI has published “British Standard BS ISO/IEC 42001:2023 - Information Technology - Artificial Intelligence - Management System” (the UK implementation of ISO/IEC 42001:2023). The standard aims to help organisations ensure they use AI technology responsibly, particularly with a focus on ensuring appropriate safeguards are in place (such as risk assessments and controls) from the initial design phase through to the provision of the product or service itself.

Cyber, breach and ransomware

Back to top >

EU – EDPB publishes one-stop-shop case digest on Security of Processing and Data Breach Notification

On 18 January 2024, the EDPB published the case digest on a number of one-stop-shop decisions relating to Articles 32 (Security of Processing), 33 (Notification of a Personal Data Breach to the Supervisory Authority) and 34 (Communication of a Personal Data Breach to the Data Subject) of the EU GDPR. Of particular note is that, although a data controller’s notification obligation is limited to data breaches that are likely to present risk to the rights and freedoms of an individual, the EDPB have found they tend to report anyway rather than risk being in violation of the law. The case digest further states shat the Court of Justice of the European Union is expected to provide more detail on the appropriateness of technical and organisational measures to protect against security risks. 

UK – NCSC publishes report on near-term impact of AI on cybersecurity

On 24 January 2024, the NCSC published its report which assesses the impact of AI on cyber security threats. Key conclusions include: 

• AI will “almost certainly” increase the volume and impact of cyber attacks over the next two years, the threat of which comes from the development of pre-existing tactics, techniques and procedures.
• AI is being used across all types of cyber threat actors.
• AI enhances reconnaissance and social engineering capabilities, making cyber attacks stronger and harder to detect.
• Threat actors will work more efficiently as they will be able to analyse exfiltrated data quicker and use it to train AI models.
• It will be easier for novice cyber criminals, hackers-for-hire and hacktivists to be involved in cyber operations, which is likely to contribute to the global ransomware threat over the next two years.
• Ransomware is likely to increase due to cyber criminals exploiting their AI business models to gain efficiencies and maximise profits.

UK – The Department for Science, Innovation and Technology ("DIST") calls for views on the draft Cyber Governance Code of Practice

On 23 January 2024, the DIST announced it has opened a consultation soliciting feedback on the draft Cyber Governance Code of Practice, which will remain open until 19 March 2024. The draft code focuses on ensuring businesses have sufficient and clear procedures in place (that are frequently tested) in order to identify, respond and recover from a cyber security incident and also ensure any breaches are documented in accordance with their obligation under Article 33(5) of the UK GDPR. 

Data Transfers

Back to top >

EU – EU retains all existing adequacy decisions

On 15 January 2024, the EC confirmed in its first review report that all existing 11 adequacy decisions will be retained – to recap, this means personal data can flow freely from the EU to Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay without the need for further safeguards. The UK wasn't mentioned in this, so we assume the usual review period will apply as set out in the Brexit agreement.

Public sector

Back to top >

The Court of Justice of the European Union ("CJEU") holds that the storage of biometric and genetic data of criminals until their death contravenes EU law

The CJEU has held that data controllers indiscriminately storing the biometric and genetic data of criminals until death cannot be justified under EU law. In its decision, the CJEU stated that the risk level associated with the criminal (such as seriousness of the offence and the tendency to reoffend), must be assessed to determine if the storage of a person’s data in the police records until death is appropriate. It is the CJEU’s opinion that the time limit of ‘until death’ is only acceptable under extremely specific circumstances. Furthermore, the CJEU stated that, under EU law, the data controller must periodically review whether the storage of a person’s data is still necessary, and when it is not then the data subject is entitled to erasure and this includes criminals.

UK – Biometrics and Surveillance Camera Commissioner ("BSCC") lays annual report in Parliament

On 24 January 2024, the BSCC laid its annual report for 2022 – 2023 in Parliament. The report analyses how oversight of public space surveillance camera systems, biometric materials and the use of DNA and fingerprints by the police in England, Wales and Northern Ireland will change under the Data Protection and Digital Information Bill. The report identified a number of issues regarding the retention of biometric data of unconvicted individuals who are either at risk to national security or have been arrested for certain offences, DNA handling errors rendering samples unusable and the use of surveillance cameras and drones. 

If you have any questions relating to this article, please reach out to our authors below.