This month in review:
This month, the key themes focus on Data Protection Impact Assessments ("DPIAs") including when such assessments should be carried out and the consequences of getting this wrong. There has also been further development on the use of AI technology, particularly in relation to 'deepfakes' and the EU AI Act entering into force. The European Commission ("EC") has also published its second report in which it has evaluated the application of the GDPR since its inception.
Our trends
This month, we have identified some key themes emerging from our work with clients. We thought we would share these to provoke some thoughts amongst readers, so please do reach out to us for advice or assistance in relation to:
- Assessing and advising clients on the correct transfer terms and mechanisms in contracts governing international transfers of personal data.
- Working with our corporate colleagues to support clients with pre-sale due diligence testing and compliance uplifting.
- Advising clients on requests for personal data from law enforcement agencies including when and how such requests should be dealt with.
If you would like our assistance with these matters or any other data protection-related support, please contact any member of the Data Protection & Cyber Security team or email us at DPCS@dwf.law.
Our contents this month:
- Our events and articles
- General updates
- Adtech and direct marketing
- AI and innovation
- Cyber, breach and ransomware
- Data transfers
- Public sector
Our events and articles
Back to top >
Data Protection and Cyber Security Breakfast Briefing
On 25 July 2024, we hosted our latest Breakfast Briefing session. This session delved into recent case law from the Court of Justice of the European Union (“CJEU”), highlighting key conclusions and the significance of these decisions, as well as Advocate General opinions, for organisations in practice. Click here to read our summary article.
Crowdstrike Outage
Cybersecurity company Crowdstrike recently experienced an outage which impacted the availability of personal data worldwide. Stewart Room, DWF’s Global head of Data Protection and Cyber Security, has recently published an article which discusses whether the Crowdstrike incident should be categorised as a 'personal data breach' under the GDPR and if so, whether organisations have a duty to formally notify the regulators.
Cyber Incident Response
In the second episode of the Risk Matters Podcast, DWF's Global Risk Team explores the complexities of the cyber incident response landscape. They are joined by Oliver Price from Cybersecurity Advisory practice S-RM DWF's Data Protection and Cyber Security Director, Jamie Taylor. You can listen to the full episode here.
The King’s Speech 2024: Data Protection Developments
On 17 July 2024, the King covered two key developments of data protection legislation in his first speech as part of the opening of UK’s Parliament under the new Labour government. Read our article to learn more about the proposed Digital Information and Smart Data Bill and the Cyber Security and Resilience Bill.
General updates
Back to top >
EU: EDPB adopts statement on the role of DPAs in AI Act framework, EU-U.S. Data Privacy Framework FAQ and new European Data Protection Seal
The European Data Protection Board (“EDPB”) have stated that Data Protection Authorities ("DPAs") should, in some cases, be designated as Market Surveillance Authorities (“MSAs”) due to their experience in dealing with the impact of AI on fundamental rights and the protection of personal data. As per the EU AI Act, Member States must appoint MSAs nationally by 2 August 2025 to supervise the Act's application.
Further, the EDPB has provided separate FAQ documents for both individuals and businesses to provide greater clarity on the functioning of the EU-US Data Privacy Framework.
Following its recognition in Germany in September 2022, the EDPB has updated its opinion on the EuroPriSe Criteria Catalogue which permits its recognition in the EU and the European Economic Area as a certification criterion for processing operations by processors, and as a European Data Protection Seal. The EDPB's opinion will be available on the EDPB website once the necessary legal, linguistic and formatting checks are complete.
EU: The EC publishes its second report on the application of the GDPR
On 25 July 2024, the EC published its second report on the application of the GDPR which noted a significant increase in enforcement activity by DPAs and the available resources to support them. The report also comments on inconsistencies in approaches in some areas, such as minimum age to give consent and the processing of personal data related to criminal activities, and the challenges which are increasingly being faced by small and medium-sized businesses in the data protection landscape. The report reinforces the need to focus on issues, such as consistent application of the GDPR throughout the EU and developing efficient working practices to help appropriately manage the burden placed on DPAs.
International: EU and Singapore concluded negotiations for a Digital Trade Agreement
On 25 July 2024, the EU and Singapore concluded their negotiations regarding a Digital Trade Agreement (“DTA”). This agreement is the first EU DTA of its kind, reinforcing the EU’s goal of becoming the global standard setter for digital trade rules and providing consumers with greater protections when conducting business online. DTA allows for both economies, and business within, to engage in digital trading with rules in place to ensure customer trust, predictability and legal certainty, creating a safer online environment. The DTA serves as a leading example of the development of digital policy whilst maintaining open and fair digital economies.
UK: Ofcom publishes discussion paper on deepfakes
The Office of Communications ("Ofcom") has published a discussion paper - 'Deepfake Defences: Mitigating the Harms of Deceptive Deepfakes' – which highlights the potential harms of deepfakes and how to address and manage these risks. A 'deepfake' is content generated using artificial intelligence which falsely depicts an individual in a harmful scenario or misrepresents their identity entirely, allowing the spread of misinformation across the web, with the power to influence opinion on the key issues of today. Ofcom’s paper highlights the importance of tackling deepfakes and suggests practical methods businesses can use in preventing deepfake content.
Ireland: Protection of Children (Online Verification) Bill 2024 introduced to the Houses of Parliament
On 4 July 2024, The Protection of Children (Online Age Verification) Bill 2024 was introduced to the Houses of Parliament. The focus of this Bill is to protect children online through implementing age verification processes to access certain online material, as well as imposing a duty on internet service providers and application store services to ensure inappropriate content is inaccessible to children. You can read the Bill here and track its progress here.
UK: ICO publishes its 2023-2024 annual report
On 18 July 2024, the ICO released its annual report which reflects on its performance, focus areas, and enforcement activity throughout 2023-2024. The ICO highlighted three key projects:
- investigating tracing agents’ use of information related to domestic violence survivors;
- examining the Home Office’s pilot for monitoring migrants on immigration bail; and
- assessing period and fertility tracking apps for personal data processing.
The report also highlights that the ICO received 39,721 data protection complaints (38% of which related to the right of access) and 11,680 data breach reports (an increase of 28% since the previous period), and has imposed over £15 million in monetary penalties.
Adtech and direct marketing
Back to top >
UK: ICO issues a statement in response to Google's announcement to no longer block third party cookies in Chrome
After initially praising Google’s move to block third-party cookies as a positive step for consumer privacy, the ICO has recently expressed its disappointment in Google's decision to no longer do so with third party cookies on its web browser, Chrome. The ICO has re-affirmed its commitment to promoting a privacy-friendly internet and encourages the digital advertising industry to adopt more privacy-friendly alternatives to third-party cookies. You can read the ICO's comments on Google's decision here.
EU: IAB Europe announces submission of position paper to EDPB on "consent or pay"
On 18 July 2024, The Interactive Advertising Bureau (“IAB”) Europe, supported by several regional IAB bodies, announced that it has sent a position paper outlining key concerns and recommendations to the EDPB in connection to its’ opinion from 17 April 2024 regarding the use of 'consent or pay' models. One of IAB's concerns was the difficulties faced by large online platforms to properly comply with data protection requirements regarding valid consent if they provide their uses with a binary choice. The IAB’s recommendations included that the EDPB align its opinion with CJEU case law.
International: World Trade Organisation adopts the Agreement on Electronic Commerce
On 26 July 2024, the World Trade Organisation adopted the Agreement on Electronic Commerce ("Agreement"), which intends to benefit consumers and businesses in the digital trade industry by promoting innovation, reducing barriers and facilitating e-commerce transactions. Once accepted, parties to the Agreement will be required to, amongst other things, publish information on the protections it has in place to protect the personal data of e-commerce users and the remedies available to an individual user.
AI and innovation
Back to top >
EU: AI development raises question of legal basis
The International Association of Privacy Professionals ("IAPP") has recognised intense public debate in Norway regarding the development of Large Language Model ("LLM") AI programmes and the associated privacy issues, one of which concerns the most appropriate lawful basis to be relied upon for such processing. The EDPB ChatGPT taskforce’s report of May 2024 leaves open the possibility of legitimate interest as a legal basis for these models.
UK: Lessons to be learnt regarding DPIAs from the ICO's recent Snap My AI decision
On 19 June 2024, the ICO published the results of its investigation into Snap My AI which led to Snap completing a fifth DPIA in relation to the risks associated with its "My AI" chatbot. The ICO has since confirmed that this revised DPIA now complies with the requirements of Article 35 of the UK GPDR and that Snap had not breached its Article 36 obligation to consult with the ICO. The IAPP has recently commented on the lessons that can be learned regarding DPIAs from this investigation, which include implementing automated checks to mitigate the risk of errors and the need to ensure the DPIA is sufficient for the particular processing activity.
EU: EU Commission announces the entry into force of the EU AI Act
The EU AI Act, which focuses on establishing a market for AI in the EU to ensure individuals' rights are protected and safeguarded, has recently entered into force. Key provisions include the option for companies to adopt additional codes of conduct, the requirement to be transparent with users that they are interacting with a machine as well as strict requirements for high-risk systems. Member states have until 2 August 2025 to designate responsibility for the role of overseeing and monitoring of the rules and enforcement action, however, the EC has advised that most of the provisions will apply from 2 August 2026.
Cyber, breach and ransomware
Back to top >
UK: Government to introduce Cyber Security and Resilience Bill
On 17 July 2024, as part of the King's Speech, it was announced that the UK Government plans to introduce the Cyber Security and Resilience Bill. The Government has suggested that the bill will focus on ensuring essential digital services are protected. This protection would be established by expanding existing regulation, providing more power to regulators, and increasing reporting requirements.
UK: ICO reprimands the Electoral Commission after cyber-attack compromises servers
The ICO have issued a reprimand to the Electoral Commission for alleged infringements of Articles 5(1)(f) and 32(1)(b) of the UK GDPR, after hackers accessed their Microsoft Exchange Server in August 2021 which allowed them access to the personal information (including names and home addresses) of around 40 million people. The ICO found that the Electoral Commission did not, at the time of the incident, have the appropriate security measures to protect user's personal data. The Electoral Commission has since taken adequate steps to remedy this. The ICO's reprimand, issued on 30 July 2024, is available to read here.
EU: EC publishes a risk assessment report on cyber resilience in respect of the EU's telecommunications and electricity sectors
On 24 July 2024, the EC and the European Union Agency for Cybersecurity ("ENISA") published its report in which it evaluates the cyber security risks in the EU's telecoms and electricity sectors. Some of the significant risks highlighted in the report concern supply chain issues, ransomware targeting sensitive data, service disruption, physical sabotage and espionage. The report urges its recommendations are implemented as soon as possible, in order to enhance resilience against the rapidly-evolving threat landscape. Some of the recommendations include sharing best practices and enhancing corporation with technical networks to improve resilience and cybersecurity, strengthening contingency planning, crisis management and operational collaboration and addressing supply chain security with follow-up assessments and developing an EU framework. You can read the full report here.
Data transfers
Back to top >
EU: EDPS releases its new model administrative arrangements for transfers of personal data between EU institutions and international organisations
The European Data Protection Supervisor ("EDPS") has outlined that its new model of administrative arrangements for transfers of personal data implement appropriate safeguards that ensure a level of protection that is equivalent to that provided by EU legislation. However, such arrangements between EU institutions and international organisations still require approval from the EDPS.
International: The U.S. Department of Commerce publishes statement on EU-US Data Privacy Framework report
On 19 July 2024, the U.S. Secretary of Commerce and EU Commissioner for Justice and Consumers announced the first periodic review of the EU-U.S. Data Privacy Framework (“DPF”). The review comes one year since its implementation and highlights the framework’s success in enhancing privacy protection and facilitating over $1 trillion in EU-US trade. More than 2,800 businesses (mostly small and medium-sized) have joined the DPF since its inception.
Public sector
Back to top >
UK: Essex school reprimanded after using facial recognition technology for canteen payments
On 23 July 2024, the ICO published a reprimand to a school in Essex for implementing facial recognition technology as a cashless method of payment in the canteen in 2023. The ICO found that the school has failed to carry out a DPIA, despite processing biometric data of students aged 11-18. This reprimand highlights the importance of carrying out DPIAs, especially when processing special category data of minors, and the importance of obtaining adequate consent.
UK: London Borough of Hackney reprimanded following cyber attack
Following a cyber-attack in 2020, which led to hackers accessing 440,000 files (including special category data) affecting at least 280,000 employees and residents, the ICO has issued a reprimand to the London Borough of Hackney ("LBH"). The attack had a significant impact on LBH's systems, some of which were down for two years, and disrupted its handling of Freedom of Information ("FOI") Requests which led to 29 complaints. The ICO's investigation found that the LBH lacked proper security measures or processes to protect personal data that it stored.
UK: ICO takes action against two organisations for "risking public trust" by failing to respond to public requests for information.
The ICO has issued enforcement notices to two public sector organisations for failing to respond to FOI requests, which the ICO's Head of FOI Complaints and Appeals has emphasised undermine fundamental rights and public trust. Both organisations have been required to publish an action plan and have a time limit by which they must clear their backlog of FOI requests.
If you have any questions relating to this article, please reach out to our authors below.
