DWF Data Protection Insights April and May 2024

This month in review:

Key themes throughout April and May included regulatory matters, particularly the efforts of the UK’s regulators and Parliament to develop new guidance on artificial intelligence. The European Data Protection Board (EDPB) has issued new Rules of Procedure regarding EU-US data transfers. There has also been lots of  updates on Cyber Security and additional guidance from the EU on the processing of health data.

We've also identified some emerging themes from our work with clients. We thought we'd share these to provoke some thoughts amongst readers, so please do reach out to us for advice or assistance in relation to:

• Regulatory audits - we've noticed an increase in clients being subject to audits by the ICO and we are supporting and advising our clients through the process.

• Data subject access requests continue to be a challenge, whether from current, former or prospective employees, a customer, or as a result of a data breach. Our team is available to support you so do reach out to JP Buckley for more details.

• Dealing with Ransomware / breach events – we recently ran two Breakfast Briefing sessions in London and Manchester focusing on incident response to security breaches. If you have missed our sessions or if you are interested in a more tailored, in-depth incident response session for your business, please reach out to Stewart Room for further information.

• AI policies and procedures have become an emerging trend, particularly given the current fast past development of AI regulation.

Our contents this month

• Our events and articles
• General updates
• Adtech and direct marketing
• AI and innovation
• Cyber, breach and ransomware
• Data transfers
• Employment and data subject rights

Our events and articles

Back to top >

Advancing Legal Operations with AI in eDiscovery

Our eDiscovery team use specialised Computer-Assisted Review technology to assist many clients to efficiently manage high-volume document review projects. Click here to read about how our eDiscovery team may be able to support your business needs, working with our lawyers to provide single-source holistic advice.

Data Protection & Cyber Security Breakfast Briefings

On 25 April, we were thrilled to hold our first Data Protection & Cyber Security Breakfast Briefing in Manchester! The event, led by Stewart Room and the team, was a continuation of our interactive incident-response series in which we condensed the crucial first week of incident response into a comprehensive two-hour incident response simulation. Stewart Room also imparted valuable practices that any organisation can adopt to enhance their cyber-attack readiness and reduce associated commercial risks.

On 30 May, we then welcomed a number of in-house experts to our London office for our next Breakfast Briefing which was centred around ICO audits. Again, hosted by Stewart Room and the team, we drew on DWF’s experience in navigating the process and the valuable insights and real-life experiences provided by our guests. 

Our next Breakfast Briefing will be held on 27 June and will focus on how you can be using international standards for operational best practice in your data protection and cyber security programmes. If you are interested in attending this or subsequent Breakfast Briefings, please let us know by contacting your usual Data Protection & Cyber Security contact or emailing dpcs@dwf.law with the subject “London Breakfast Briefing”.   A dial-in option is now available so you can attend remotely too.

General updates

Back to top >

UK: DPDI bill has been dropped

The Data Protection and Digital Information Bill ("DPDI") was not passed in time before Parliament prorogued, following the announcement of July’s general election, and therefore has been dropped from the agenda. However, The Data & Marketing Association has called on the new government to reintroduce the DPDI Bill and has launched a 10-point manifesto to reform the UK’s data protection legislation.

EU: EDPB Annual Report 2023 - Safeguarding individual rights

The EDPB has published its 2023 Annual Report, in which it emphasised its ongoing commitment to harmonising data protection interpretations and influencing the legal framework by establishing fundamental principles. The Report reflected on two binding decisions made in the previous year and provided guidance to support organisations, including the launch of a Guide for Small Businesses. The EDPB also indicated its intention to maintain a similar approach in 2024.

EU: CJEU publishes opinion on the interpretation of "data concerning health" under GDPR

On 25 April 2024, the CJEU released the Advocate General’s Opinion for Case C-21/23 which concluded that customer data on online pharmacy platforms could only lead to vague or speculative inferences about an individual's health, and did not meet the criteria for “data concerning health” as defined in Article 4(15) of the GDPR. This interpretation helps clarify the scope of what constitutes sensitive health data within the context of GDPR compliance for online sales platforms.

EU: EC issues guidance on the Data Act

In its guidance, the European Commission ("EC") provides an overview of the operation of the Data Act and how it applies in practice to various different data sharing arrangements, such as between business-to-business, business-to-consumer, business-to-government and business-to-third country government.

EU: EC publishes Q&A on the European Health Data Scope

The EC has unveiled a new Q&A page dedicated to the European Health Data Space (EHDS), which aims to empower individuals by informing them about how they can access and easily manage their personal health data. The Q&A addresses topics such as the methods for individuals to access and share their health data, the implications of data sharing within the healthcare sector, and the impact of EHDS on health-related initiatives throughout Europe. You can read the full Q&A here.

EU: EC's proposed 'cookie pledge' lacks commitments

The EC's initiative to reform cookie usage and offer consumers more control over tracking-based advertising failed to gain traction with major technology companies, as its launch coincided with the enforcement of the Digital Markets Act and Digital Services Act. Although the outcome was not as expected, the EDPB indicated that the EU would persist in examining the “consent or pay” practices prevalent across numerous online platforms. Read the full article here.

UK: ICO updates privacy notice template

The ICO has launched a new privacy notice generator tool aimed at aiding sole-traders, start-ups, and small businesses in creating customised privacy notices, ensuring compliance with legal requirements. Currently, the tool offers assistance in drafting notices for customers, suppliers, staff, and volunteers. The ICO has also expressed its intention to develop sector-specific versions of the tool for professional services, education and childcare, health and social care, and the charity and voluntary sector, to further support these industries in meeting their privacy obligations.

UK: A joint statement by Ofcom and the ICO on collaboration on the regulation of online services

Ofcom and the ICO have issued a collaborative statement detailing their strategy to jointly regulate online services. This partnership aims to enhance operational efficiency and foster a unified approach to areas of shared interest between the two regulators. The statement highlights several key areas for intensified cooperation, including topics like age assurance and online safety, oversight of companies that both regulators have an interest in, the exchange of information, and methodologies for working together.

EU: European Parliament agrees to new GDPR procedural rules

Members of the European Parliament have raised concerns that insufficient cross-border cooperation has hindered the investigation of GDPR violations. The proposed procedural rules, which have been adopted by the European Parliament, aim to harmonise procedural rules and rights, streamline the handling of cross-border cases, increase legal clarity for both businesses and individuals and establish dispute resolution mechanisms. The proposals have been referred to the committee for negotiations and will be followed up by the new Parliament after the European elections.

Spain: AEPD launches an updated GDPR compliance tool

The AEPD has launched a new version of its GDPR compliance tool, which includes almost 800 privacy measures to assist data controllers, data processors and DPOs to comply with their roles and responsibilities and in managing risk.

UK: Ofcom launches a public consultation on draft Children’s Safety Code of Practice

On 8 May 2024, Ofcom announced it is seeking public comments on its draft Children’s Safety Code of Practice regarding the protection of children from online harm. The consultation will remain open for responses until 5pm on 17 July 2024 and the draft Code can be accessed here.

EU: EDPB adopt a statement on the financial data access and payments package

In its statement, the EDPB provided several recommendations to help tackle fraud in the finance sector. Key recommendations include: the need for clearer rules on the recording and disclosure of personal data within the context of the transaction monitoring mechanism; obligations for AISPs and PISPs to inform PSPs about the customer account to which access is being sought, the legal basis to do so and, if applicable, the Article 9(2) GDPR exemption being relied upon; a clearer distinction between the term ‘permission’ and the legal basis of consent; requirements for permission dashboards under the FIDA and PSR proposals; a clearer definition of ‘sensitive payment data’; and the need for co-operation between regulatory authorities.

Adtech and direct marketing

Back to top >

EU: EDPB publishes Opinion on consent or pay models

In its Opinion, the EDPB criticised the current “consent to pay” models for not providing individuals with a genuine choice between consenting to the processing of their personal data for behavioural advertising purposes and paying a fee, and has urged online platforms to ensure individuals are given the choice of a free "equivalent alternative". The AEPD has subsequently published an updated cookie guide in line with the EDPB’s Opinion (only available in Spanish), which can be viewed here.

AI and innovation

Back to top >

UK: ICO and the FCA publish their respective approaches to AI regulation

Following the Government’s response to the AI Regulation White Paper consultation, the FCA has advised its focus is on identifying and mitigating risks, rather than prohibiting specific technologies. The FCA’s update also explained it will also be involved the evaluation of the impacts of specific technologies, such as AI, blockchain, and cloud infrastructure on financial markets and consumer protection.

The ICO will be adopting a flexible risk-based and principle-driven approach to AI regulation, putting the emphasis on the need for organisations to proactively identify and mitigate issues in a way that is most suited to them. Where a high-risk to the rights and freedoms of individuals can't be mitigated, the organisation is required to consult the ICO.

UK: Digital Regulation Cooperation Form launch an AI and Digital Hub to encourage economic growth

The AI and Digital Hub aims to support innovators when they are faced with complex regulatory questions by providing a single source of informal advice from multiple regulators at once, free of charge.  

UK: Government responds to Communication and Digital Committee's report on LLM and generative AI

In its response, the Government expresses the need for responsible development and deployment of the risks and uncertainties regarding the use of AI and the need for transparency and fair competition within the AI sector.

International: Noyb files GDPR complaint over alleged AI chatbot 'hallucination'

In the complaint made to the Austrian Data Protection Authority ("DPA"), Noyb claims that ChatGPT’s hallucination of his birthday contravenes the accuracy principle and the right to rectification under the GDPR. Noyb have requested that the Austrian DPA impose an “effective, proportionate, dissuasive, administrative fine" on OpenAI and investigate its data processing procedures, specifically regarding the measures it takes to ensure the accuracy of personal data processed in relation to ChatGPT.

UK: DSIT launches a public consultation on cybersecurity codes of practice

On 15 May 2024, the Department for Science, Innovation and Technology announced it is seeking public feedback on two draft codes of practice – secure AI systems and software security – both of which aim to embed security into the lifecycle of AI models/systems and software respectively. Both consultations close on 9 August 2024.

UK: ICO warn organisations to stop ignoring DP risks as it concludes Snap "My AI" chatbot investigation

Following the conclusion of the investigation into Snap, Inc's 'My AI' chatbot, the ICO states this should act as a "warning shot for industry" and urges organisations developing or using generative AI to consider data protection in the product or service at the very outset. The ICO reminds the industry that it will continue to monitor risk assessments and use the full range of its enforcement powers to protect the public from harm. The final decision is due to be published in the upcoming weeks.

UK: 'AI Champion' for SMEs proposed as part of UK Digital Reforms

The British Chambers of Commerce has published its Digital Revolution report, which has provided 4 recommendations to help assist UK businesses. One of the recommendations is the need to appoint an 'AI champion' to help spearhead a programme to improve business use of AI, explore social tariffs in low-income neighbourhoods to widen access to broadband services, seek to strengthen the UK's wireless network infrastructure, and work with the insurance industry to create a reinsurance pool that underwrites cyber risk for business.

EU: EDPS launches guidelines on generative AI and personal data for EU institutions

The European Data Protection Supervisor ("EDPS") has published its guidelines on generative AI and personal data for EU institutions, bodies, offices and agencies ("EUIs"). The EDPS have advised that this guide is a first indication of the extensive recommendations that can be expected from the EDPS, in their effort to support the protection and maintain the privacy of personal data. The guidelines focus on a number of serious topics, including how EUIs can identify whether AI tools process an individual's personal data and when to conduct a data protection impact assessment.

International: Countries agree to develop AI risk assessment thresholds

The AI Seoul Summit has resulted in 27 nations committing to work together on severe AI risks, to develop appropriate thresholds in the development of biological and chemical weapons and AI's ability to evade human oversight. The UK Government views this agreement as an important step in the AI Safety agenda.

UK: AI Safety Institute releases AI safety evaluations platform

The UK’s AI Safety Institute has introduced Inspect, an open-source platform that aims to standardise AI safety evaluations globally and focuses on core knowledge, reasoning and autonomy of AI systems. This state-backed initiative enables diverse groups, from start-ups to governments, to assess AI models’ capabilities and generate safety scores. The release aligns with the arrival of more advanced AI models in 2024, emphasising the need for responsible AI development.

EU: Council of the European Union gives final approval to AI Act

The Council of the European Union has approved the AI Act, marking a significant milestone as the first global legislation to harmonise the rules on AI. The Act aims to promote the development and adoption of safe and trustworthy AI across the EU’s single market, while protecting the fundamental rights of EU citizens and encouraging investment and innovation in AI. The Act adopts a ‘risk-based’ approach, which will see any AI programme subject to a compliance test to determine its risk-level, and practices considered high-risk, such as social scoring and certain uses of biometric data, are banned. Several governing bodies will be set-up to help implement the Act, including an AI office. The Act applies only within EU law and excludes military, defence, and research applications.

EU: EDPB adopts the report of the work undertaken by the ChatGPT task force

On 23 May 2024, the EDPB released its latest report in which its ChatGPT task force assessed the compliance of large language models with the GDPR requirements of an appropriate lawful basis, the need for fairness and transparency, the principle of data accuracy and the ability for data subjects to exercise their rights.

EU: EDPB adopt an Opinion on the use of facial recognition at airports

In its Opinion, the EDPB assessed the use of facial recognition technology by EU airports for compliance with the GDPR, namely the storage limitation principle, the integrity and confidentiality principle, data protection by design and default and security of processing. The Opinion concluded that biometrics can only be used to verify a passenger’s identification where official documentation (such as a valid passport) is required, and the only compatible way to store this is biometric data is in the individual's hands or a central database where the encryption key is kept solely in their hands. The EDPB also reiterated the requirement for data controllers to be able to sufficiently justify their retention period in line with the GDPR requirements.

Cyber, breach and ransomware

Back to top >

International: Ransomware payments drop to record low

Cybersecurity firm Coveware have published a report which shows payment of ransoms are at a record low of 28% (down from 29% in 2023), however, the total amount paid to ransom attackers is higher than ever before, with the median ransom payment now reported to be $250,000.

UK: Latest news from the National Cyber Security Centre

• A new blog with guidance on how the Product Security and Telecommunications Infrastructure regime impacts consumers (including smart devices such as smart speakers and appliances that connect to the internet or home networks) and manufacturers.
• A new blog covering tactics used by cybercriminals in ransomware attacks and sensitive data theft and extortion.
• New guidance, in collaboration with the Association of British Insurers, the British Insurance Association and the International Underwriting Association, to help reduce ransom payments and encourage organisations to think pragmatically before making payment.
• New guidance on the steps organisations can take to reduce the risk of business email compromise attacks.

UK: ICO calls for organisations to do more to combat the growing threat of cyber attacks

On 10 May 2024, the ICO published its report 'Learning from the mistakes of others' which analyses the data breach reports it has received and shares lessons that organisations can learnt from common security mistakes in relation to phishing, brute force attacks, denial of service, errors and supply chain attacks. ICO’s own trend data reveals that it has received over 3,000 cyber breach reports, mainly from the finance (22%), retail (18%) and education (11%) sectors.

Poland: Ministry of Digitization publishes amendments to National Cybersecurity Act for public consultation

On 24 April 2024, the Ministry of Digitization published the draft act amending the National Cybersecurity System in line with the NIS 2 Directive and sought public comments (the consultation closed on 24 May 2024). Some of the key changes concern the reporting of serious incidents, the introduction of a new self-identification mechanism, extension of the scope of the act, response to critical incidents, increased powers to national-level CSIRTs and the introduction of a new incident and response plan. The press release and draft act (only available in Polish) can be read here.

UK: Update on the ICO's latest enforcement action

The ICO has fined two companies a total of £340,000 for calling almost 1.43 million calls to individuals registered with the TPS.

The Central YMCA has been issued a reduced fine of £7,500 and a formal reprimand for sending emails to 264 email addresses using CC instead of BCC where there was sensitive health data disclosed.

Additionally, the Tribunal has dismissed Join the Triboo's appeal against their fine of £130,000 for sending millions of spam emails without consent, finding that the privacy policy was "poorly signposted" and that an individual's registration could not, by itself, be treated as valid consent to receive direct marketing communications.

Data Transfers

Back to top >

EU: EDPB adopts 2 Rules of Procedure regarding the transfer of data under the EU-US Data Privacy Framework

The first is addressed to the "Informal Panel of EU DPAs", which provides binding advice to US-based organisations following unresolved complaints about the handling of personal data transferred under the EU-US Data Privacy Framework. A failure to comply with the panel's advice will lead to the organisation being referred to the U.S Department of Justice or possible enforcement action.

The second concerns the redress mechanisms available to EU individuals where there are alleged violations of US law by US authorities collecting data for national security purposes. The Information Note provides further clarity on EDPB's approach to these situations.  

Employment and Data Subject Access Requests

Back to top >

EU: CNIL publishes its annual report for 2023

The French regulator has published a report reflecting on its activities aligned with its main objectives to inform the public, support compliance, provide guidance on emerging issues and responding to GDPR and privacy-related breaches. Key highlights include: a 35% rise in complaints; a 217% surge in requests for indirect access rights; and twice as many fines issued (at double the amount) than in the previous year. The CNIL concluded that this increase of activities was partially due to the regulator simplifying its procedures, which enabled it to handle the growing volume of complaints more efficiently.

EU: CJEU publishes Opinion of Advocate General on a data subject erasure request

The Advocate General concluded that an individual's right to erasure of their personal data from a public document (in this case a commercial register) can't be conditional on the individual submitting a copy of the document in question. You can read the full judgement here.

If you have any questions relating to this article, please reach out to our authors below.