DWF Data Protection Insights February and March 2024

This month in review:

In February and March, the key themes include regulatory matters, particularly in relation to the fast developing use of artificial intelligence. There have also been updates from the European Protection Data Board as it issued new framework designed to make the right of access easier to exercise and provide further guidance to organisations on best practices for responding to data subject access requests.  

There are also lots of new legislative updates across the UK and EU on cyber security and direct marketing. 

We've also identified some key themes emerging from our work with clients. We thought we'd share these to provoke some thoughts amongst readers, so please do reach out to us for advice or assistance in relation to:

• International data transfers – assessing your current transfers and understanding their position in case the EU’s adequacy decision of the UK is withdrawn – and putting in place intra-group agreements to mitigate this risk; 
• Data subject access requests continue to be a challenge, whether from employees, former employees or as a result of a data breach, where we can help with DSAR delivery, training, strategy and process. You can reach out to JP Buckley for more details.  
• Dealing with Ransomware / breach events – we're engaged with a few clients on this right now, but to be ahead of the game, sign up for our next Breakfast Briefing on 25 April in Manchester – please see the details below and don’t forget to sign up!   

Our contents this month: 

• Our events and articles
• General updates
• Adtech and direct marketing 
• AI and Innovation 
• Cyber, breach and ransomware
• Employment and Data Subject Access Requests 

Our events and articles

Back to top >

What does 2024 hold for data protection claims and cyber risk?

Check out Stewart Room's and Jamie Taylor's article which examines the courts' recent approach to data protection compensation claims, highlights cyber attack trends and explains what we can expect for 2024.

Is AI the future of insurance? 

Mary Kelly's article explores the likely impact of artificial intelligence ("AI") on the insurance sector and what organisations can do to prepare for the change. 

DWF brings proprietary data culling and sorting to NetDiligence

DWF’s James Manari and Thomas Morse recently attended the NetDiligence Cyber Risk Summit in Miami Beach, where over 120 thought leaders in the industry discussed a range of cyber-related topics.

In pursuit of privacy: The third chapter of EU-US Data Privacy Framework

In this article, Sakshi Kalra provides an overview of the development of the EU and US adequacy relationship and the introduction of the EU-US Data Privacy Framework in 2023.

Data Protection & Cyber Security Breakfast Briefings – sign up for Manchester on 25 April 

We held another successful Data Protection & Cyber Security Breakfast Briefing at our London office on 28 March which was hosted by Stewart Room and the team.  During this interactive session, we condensed the crucial first week of incident response into a comprehensive two-hour incident response simulation. Stewart Room also imparted valuable practices that any organisation can adopt to enhance their cyber-attack readiness and reduce associated commercial risks.

We are excited to bring this session to Manchester on the morning of 25 April. If you are interested in attending, please let us know by contacting your usual Data Protection & Cyber Security contact, or emailing dpcs@dwf.law with the subject “Manchester Breakfast Briefing” or RSVP here. 

General updates

Back to top >

UK: ICO Publishing new fining guidance

The ICO have published new data protection fining guidance which considers how the ICO calculates fines and issues penalties. The publication of the guidance follows a period of consultation during 2023.

You can read the guidance in more detail here.

UK: House of Lords to launch a committee to review the data privacy adequacy agreement by the EU of the UK (and hence transfers EU to UK and vice versa)

An enquiry has been launched by the House of Lords European Affairs Committee concerning the UK’s approach to data adequacy and its potential implications for the UK-EU relationship. Chaired by Lord Ricketts, the enquiry will focus on, amongst other things, the existing adequacy agreement between the UK and the EU and the implications of any impact on that agreement. The committee is currently inviting written evidence to be submitted to them for consideration with the aim to produce the report by July 2024.  This is as the Data Protection and Digital Information Bill proceeds through its House of Lords stages. 

UK: ICO calls for senior leaders to take transparency seriously

The ICO have called on senior leaders to remind them of their commitment to data transparency. This follows the ICO’s regulatory action taken against five public organisations for their lack of transparency. The ICO have provided some simple guidance to senior leaders on steps they can take to better meet the expectations placed on them.

EU: In pursuit of privacy: the 3rd chapter of EU- US Data Privacy framework

DWF have published a detailed article unpacking the intricacies surrounding the third chapter of the EU-US Data Privacy Framework. The article provides helpful guidance on the practical and essential steps organisations should look to embrace to ensure a compliant approach is being taken.

UK: Proposed UK AI Regulation Bill received second reading in House of Lords

The proposed UK AI Regulation Bill has received its second reading in the House of Lords. Expected to be considerably different to the EU AI Act, the UK AI Regulation Bill considers a pro-innovation approach to be the fundamental basis from which this Bill is built. The proposed UK Bill may place further requirements on business who look to introduce AI into their data-processing procedures, not least with the appointment of a dedicated AI officer. Further developments and news are expected as the year progresses.

UK: The Information Commissioner's Office ("ICO") approves a legal services certification scheme

On 13 February 2024, the ICO approved the fifth set of UK GDPR certification criteria entitled (the Legal Services Operational Privacy Certification Scheme), which is aimed at helping legal service providers that process personal data comply with UK data protection law. 

EU – The Digital Services Act ("DSA") enters into full effect

The DSA entered into full effect on 17 February 2024, meaning new responsibilities for online platforms that have users in the EU (apart from certain small and micro enterprises) will be implemented. These include:

• Cooperate with specialised entities and ensure users can flag illegal content on the platforms.
• Ban advertisement that target minors or target users based on special category data.
• Provide users with more information about the advertisements they are seeing.
• Explain to affected users the reason for content moderation decisions and ensure users can challenge them.
• Annually report on their content moderation procedures.
• Provide clear terms and conditions.
• Designate a contact for authorities and users to reach out to. 

There are also certain obligations for hosting services and online intermediaries.

UK: Final Report on Financial Institutions’ participation in the ICO’s Regulatory Sandbox issued

The ICO’s Regulatory Sandbox service provides support to organisations which intend to use personal data in innovative ways whilst developing products or services. It offers organisations of all sizes the opportunity to engage with and draw upon the ICO’s expertise with projects operating within challenging areas of data protection. The participating ‘financial institutions’ are a group of banks seeking to implement an information sharing pilot, with facilitation by the UK Home Office and UK Finance.

The key data protection considerations for this complex data sharing ecosystem include the following: data minimisation; data protection roles and responsibilities; lawful basis for processing; and data protection impact assessments (“DPIAs”), all underpinned by the principles of UK GDPR. For example, in relation to DPIAs, the Sandbox notes that the financial institutions must consider and make clear how requests to exercise individual rights will be handled and the processes that it will put in place to prevent ‘creep factor. ’

The Final Report can be accessed here.

France: CNIL outlines regulatory priorities for 2024 

The CNIL announced its main priorities and activities for 2024, which include the following:

• The CNIL will pay special attention to the data protection issues, which include the security measures and data collection practices, related to the Paris 2024 Olympics and Paralympics. 
• The CNIL will monitor the online platforms that collect and process minors' data and will assess and check the adequacy of the age verification and consent mechanisms.
• The CNIL will scrutinise the data collection practices of retailers, especially those that use loyalty programs and digital receipts, to ensure that customers are informed and have provided their consent to the use of their data.
• The CNIL will implement the EDPB Coordinated Enforcement Framework in its national regime and harmonise its approach to data subjects' rights of access with the European standards.

Full article can be accessed here.

UK: ICO publishes blog outlining measures app developers can take to protect user privacy

The ICO reminded all app developers about the importance of protecting user's data, especially where sensitive data is being collected. To assist the developers, the ICO outlined four practical steps to ensure compliance with the UK data protection regulations: 

• Be transparent: Apps must tell users how their personal data is being handled, including why it's being collected, how long for and who is it shared with. This information must be clear and easily accessible. 
• Obtain valid consent: app developers need explicit opt-ins to use personal data and allow users to opt out at any stage of using the app. 
• Identify correct lawful basis: app developers need a valid lawful basis such as consent, contract, or legitimate interest to process data legally. The ICO will not accept use of the same lawful basis for everything. 
• Be accountable: app developers must protect personal data. They are data controllers who must follow date protection law and ensure all personal data is processed lawfully.

ICO's website can be accessed here.

France: CNIL publishes annual report for 2023

In 2023 the CNIL imposed 42 sanctions totalling nearly €90 million. In addition, the organisation served over 168 formal notices and 33 reminders of legal observations. The CNIL has issued sanctions on actors for violating data protection rules, especially on employee surveillance, advertising, and e-commerce. The CNIL has also cooperated with other European authorities to ensure a consistent application of the GDPR. 

The CNIL found that the most common violations were related to the lack of adequate security measures and the lack of cooperation with the CNIL. It also issued a record number of formal notices, including 39 to municipalities that had installed automated plate readers for administrative and judicial purposes. The CNIL stated that only the national police or gendarmerie services were authorised to process this type of data. 

The CNIL indicated that the trend of enforcing measures to bring organisations into compliance will continue in 2024.

The full article can be accessed here.

UK: ICO publishes guidance on data protection in content moderation 

The ICO issued new guidance on how to moderate user-generated content in accordance with data protection law. The guidance also explains how content moderation affects the information rights of the people who create and share content online. 

The ICO emphasised that content moderation decisions should be based on accurate and relevant information, otherwise they could result in unlawful or unfair removal of content or exclusion of individuals from online platforms. 

The guidance was developed in collaboration with Ofcom and is intended to help organisations that fall under the Online Safety Act 2023 to comply with data protection law and fulfil their online safety obligations.

UK: John Edwards speaks at IAPP’s Data Protection Intensive UK

The Commissioner of the ICO, John Edwards, delivered a speech at the IAPP’s Data Protection Intensive UK, where he discussed the following topics:

• The Children’s code: He praised the positive impact of the code on children’s privacy and called for more improvements in some areas. He also stressed the need to work with influential stakeholders to change their practices and put children first.
• The cookies policy review: He celebrated the success of the review, which led to 80% of the organisations changing their cookies banners to comply with the law. He also proposed an automated process for monitoring and enforcing cookies compliance at scale.
• The generative AI systems: the commissioner acknowledged the challenges posed by these systems and emphasised the importance of developing them in line with UK GDPR principles.

He also reaffirmed the ICO’s proactive and collaborative approach and mentioned several projects with other regulators to protect personal data. 

Spain: AEPD publishes its 2024 social responsibility action plan

The APED has recently published its action plan on social responsibility in 2024. The action plans include more than 70 new measures, conveniently grouped into four sections: commitments to society; good governance, public integrity, transparency, and accountability; measures related to personnel and improvement of the environment and sustainability.

The action plan can be read in full here. 

EU: CJEU publishes opinion on sale of a database in enforcement proceedings

The EU Court of Justice was asked by a Polish court if an online platform's user data could be used to collect a debt without violating the GDPR.

The Advocate General agreed, as long as the data processing is done by the court enforcement officer in his official role for the purpose of estimating value and selling the database on an auction. For any further processing to be compliant with the GDPR it must achieve one of the objectives of the regulation. Therefore, the Polish court must balance the rights of the users to data protection and creditors' property rights.

The full press release can be accessed here.

UK: ICO and RTA publish blog on costs and benefits of adopting Privacy Enhancing Technologies

Privacy Enhancing Technologies (“PETs”) allow organisation to use sensitive data whilst still preserving users’ privacy. Research conducted by the Department for Science, Innovation and Technology, however, found that several organisations lacked an understanding of the benefits and costs associated with PETs. As a result, the government and the ICO are collaborating to develop a tool to help organisations understand the costs and benefits of using PETs.

This blog is the government’s and ICO’s first step towards creating this PETs tool.

DSIT announces advisory panel to help develop report on AI safety

Global experts from China, France, the UK, and the US are working together to bring their expertise and research on AI to the International Scientific Report on Advanced AI Safety. The findings of reports are due to be released prior to the Republic of Korea’s AI Safety Summit this spring

Adtech and direct marketing 

Back to top >

UK: ICO warns organizations to proactively make advertising cookies compliant

The ICO have announced that, after contacting 53 of the top 100 websites in the UK over their use of Cookies, the response has been overwhelmingly positive. The ICO have advised they are looking to review more websites and will be taking the same approach to increase the compliance of the UK’s most popular websites.

UK: IAB publishes resources for targeted advertising without the use of cookies

The IAB UK has created a helpful list of UK and international resources on cookieless targeting and measurement landscape. 

The resources cover both general guidelines and recommendations on more specialised subjects including data clean rooms and contextual advertising. The full resource list is available here.  

AI and Innovation 

Back to top >

Global: General Assembly adopted a critical resolution on AI 

The resolution backed by more than 120 Member States highlighted the need for respect, protection and promotion of human rights when designing and integrating AI into our lives. The resolution urged the Member States to refrain from using AI in ways that could interfere with people’s enjoyment of their right and confirmed that human rights are the same both online and offline. The resolution also encouraged Member States to cooperate and bridge the divide in technological advancements and enable developing countries to enjoy the benefits of AI.  

EU: MEPs adopt an Artificial Intelligence Act imposing more safeguards and restrictions on some AI Applications 

On 12 March the European Parliament approved a new bill banning certain AI applications based on sensitive characteristics or capturing facial recognition. This includes emotional recognition tools, untargeted scrapping of facial images and social scoring as well as any AI that manipulates human behaviour. The Parliament concluded that all of those technologies posed high-risk to fundamental human rights, safety and democracy and confirmed that the AI Office will be set up to support businesses in their journey of adapting AI in a safe and compliant manner.  

Italy: The Italian Data Protection Authority finds ChatGPT non-compliant with EU GDPR rules

Italy continues to put pressure on OpenAI. Following an initial ban in March 2023 of the OpenAI’s product. The Italian regulator launched further investigation into the ChatGPT’s collection of personal data. The regulator confirmed that a “fact finding activity” launched following the 2023 ban has now found data privacy violations related to collection of personal data and age protections. OpenAI has 30 days to respond to the regulators with its defence.

Read more here.

UK: UK & USA aim to work together to improve AI safety: 

The UK and the USA have announced a partnership to enhance their collective understanding of the most complex AI models. The partnership will take effect immediately. Both nations share a common perspective on the development and regulation of emerging technologies and hope that by collaborating together on research they will be better equipped to identify and tackle future risks. 

UK: DSIT announces advisory panel to help develop report on AI safety

In international panel of experts from 30 of the leading AI nations are working to produce the first edition of the International Scientific Report on Advanced AI Safety. The report’s goal is to help inform discussions at future AI Safety Summits and wider policy making around the world.

Read more about the report, and it aims to achieve, here.

UK: House of Lords Communications and Digital Committee Publishes Report on LLMs and Generative AI

The Committee calls for a more creative AI safety strategy, as the current one limits the technology's benefits. It warns that the UK risks losing its edge, growth, and dependence on foreign firms for a key technology. The government needs to ensure fair competition and clear regulations, or else a few tech giants may monopolise a vital market and block new entrants, repeating the existing tech sector's issues.

Full report can be accessed here.

Cyber, breach and ransomware 

Back to top >

EU: Cyber Resilience regime aims to improve security of domestic products

The EU Parliament wants to improve the cyber security resilience of everyday products (including their technical elements) such as smart doorbells, baby monitors and wi-fi routers due to the level of cybersecurity risks they pose. The draft approved by the EU Parliament states that all such products should have a security update installed automatically and separately from functionality updates. MEPs hope that the bill will help tackle the emerging cybersecurity emergency.  It is now with the EU Council to continue its lawmaking process.

EU: European Commission adopts cybersecurity certification scheme 

The European Commission has adopted its first EU cybersecurity certification scheme on Common Criteria (EUCC). The EUCC is a new scheme which looks to raise the level of security surrounding ICT products, including both hardware and software, services, and processes in the EU Market. The EUCC looks to achieve this by implementing rules, technical standard requirements, standards, and procedures which are to be applied across the Union. It is expected the adoption of the EUCC will pave the way for more schemes and certificates currently in development.

US: NIST updates its Cybersecurity Framework

NIST has updated its cybersecurity framework, with a major change being the widening of the guidance to all organisations, not just those in critical infrastructure, to manage and reduce risks. The updates by NIST are the result of a multiyear process aimed at making the framework more effective.

You can read more about the new framework here.

Employment and Data Subject Access Requests 

Back to top >

EU: CEF 2024- Launch of coordinated enforcement of the Right of Access

The EDPB launched its 2024 CEF action on the right to access in Brussels. The CEF is a coordinated effort of 31 DPAs in the EEA, including seven from Germany, to enforce the GDPR rules. The right to access is a common and problematic data protection right. The EDPB issued Guidelines on data subject rights in October 2023. The CEF will involve questionnaires, investigations, and follow-ups to ensure compliance.

If you have any questions relating to this article, please reach out to our authors below.