November and December 2024 in review:
Over the last two months, we've seen numerous regulatory and legislative updates from the EU and UK.
In the EU, the European Data Protection Board ("EDPB") has issued an Opinion on processing personal data for AI models, the Court of Justice of the European Union ("CJEU") has published two judgments clarifying the information requirements under Article 14 of the GDPR and the processing of personal data in an employment context, and the European Supervisory Authorities ("ESAs") have published a statement on the application of the Digital Operational Resilience Act ("DORA"). In addition, the EU Cyber Resilience Act ("CRA") came into effect on 10 December 2024 and the European Union Agency for Cyber Security ("ENISA") has published its report on the state of cybersecurity in the EU.
In the UK, the ICO has published guidance, including on data sharing practices and advice to local authorities to help manage high volumes of Freedom of Information ("FOI") Requests and Data Subject Access Requests ("DSARs"). The ICO has also been working with other regulators, including a joint position paper with the Competition & Markets Authority on 'harmful designs in digital markets' and a joint statement with the Financial Conduct Authority ("FCA") and The Pensions Regulator ("TPR") on the remits of regulatory messages and direct marketing communications.
Our trends:
We have identified some key themes emerging from our work with clients over the last two months. We wanted to share these to provoke some thoughts amongst our readers so please do reach out to us for advice or assistance:
- Supporting our clients with incident response management – both proactively by way of Incident Response Management planning and scenario testing, as well as reactively to advise on and lead incidents;
- Continuing to support our clients to manage and respond to DSARs and related complaints often with a weaponised angle (disgruntled employees, customers etc.);
- Working closely with our clients to improve their overall compliance with data protection legislation by way of reviews including mandatory audit support and pro-active reviews, ransomware simulation training, incident response readiness assessments and including the Privacy and Electronic Communications Regulations; and
- Conducting corporate and restructuring due diligence exercises in pre-sale acquisitions from a data protection perspective.
Our contents this month:
- Our events and articles
- General updates
- Adtech and direct marketing
- AI and innovation
- Cyber, breach and ransomware
- Employment and data subject rights
- Data transfers
- Public sector
- Meet the team
Our events and articles
Data Protection and Cyber Security - January Breakfast Briefing: New year, new data protection priorities? Our insights on key developments in 2024 and predictions for 2025
On the 30 January, the DWF team will be hosting its first Breakfast Briefing of 2025. In this session, we will review the data protection developments during 2024, share our predictions on what we expect to see throughout 2025 and help you to plan ahead for the coming year.
If you are interested in attending this Breakfast Briefing or any of our future sessions, please visit this registration link, contact your usual DWF Data Protection & Cyber Security contact or by sending an email to dpcs@dwf.law.
How can DWF’s Data Protection Extend & Accelerate service help you achieve more with less?
In our last Breakfast Briefing of 2024, we focused on our Data Protection Extend & Accelerate service which we have designed to assist in-house teams with the day-to-day data protection challenges they may face. We also heard from two of our clients that are already on the programme who shared their insights into the programme and how their organisation has benefitted from it.
If you were unable to attend our last Breakfast Briefing, or you'd like to recap on what offerings the service can bring to your organisation, you can watch the recording here. You can always reach out to a member of DWF's Data Protection & Cyber Security team or send an email to dpcs@dwf.law to learn more or get involved.
EU – Data Transfers - Recap on Uber’s fine for unlawful EU-US transfer of personal data
We’ve recently published an article which provides an overview of the Dutch Data Protection Authority’s (“DPA”) fine against Uber of €290m, which was issued in August 2024. The Dutch DPA found that Uber had unlawfully transferred personal data of its European drivers to Uber’s headquarters in the US without an appropriate safeguard in place. Whilst Uber had stated it would appeal the decision, to date there has been no updates, but we will share more information as it becomes available.
Revolutionising construction: The impact of AI and Smart Contracts
DWF's Aine McGuinness’ article explores how AI is transforming the construction industry by streamlining project management, minimising delays, and ensuring safety and quality. A key AI application is Smart Contracts, which automate processes such as payments and project tracking. Stored on a blockchain, these contracts provide transparency, reduce disputes, and accelerate tasks like payments once milestones are reached. However, there are challenges, including high costs, legal compliance issues, the need for quality data and a skills gap. Smaller firms may find it difficult to meet the costs of implementing AI, and legal frameworks for Smart Contracts need to be established.
General updates
UK: Update on the Data (Use and Access) Bill (“DUAB”)
The DUAB has passed through the second reading and the committee stage in the House of Lords. Focus appears to be on getting the published Bill through the process rather than considering new and valid amendments. The DUAB is expected to proceed to the report stage on 25 January 2025 so we will publish further updates as the bill progresses through Parliament, which we are closely watching with interest.
EU: EDPB calls for coherence of digital legislation with the GDPR
The EDPB has recently adopted a statement on the second report on the application of the GDPR, in which it underlined the importance of coherence between digital legislation (such as the EU AI Act, the Digital Markets Act and the Digital Services Act) and the GDPR. The EDPB also stated its intention to produce more accessible content for non-experts and SMEs and improve the way it drafts new guidance, but it highlighted that DPAs and the EDPB need extra financial support and human resources to ensure personal data remains protected to a high level.
UK: ICO 2024 – a year in review
The ICO has reflected on its work throughout 2024. Key statistics include completing 36,049 data protection complaints, 7,448 freedom of information complaints, 1,991 personal data breach cases, 179 investigations and 41 audits. The ICO has also issued £1.27m in fines as part of its mission to crack down on nuisance calls, which is one of its key regulatory focus areas.
UK: ICO and CMA publish joint position paper on harmful design in digital markets
The ICO and the CMA have published a joint position paper on ‘Harmful design in digital markets’, which addresses how certain online design practices can undermine consumer choice and control over personal data. The paper highlights potential harms to data protection, consumer rights and competition, and identifies practices such as ‘harmful nudges and sludge’, ‘confirm shaming’, ‘biased framing’, ‘bundled consent’ and ‘default settings’ as problematic. It also offers guidance for firms and online interface designers on complying with data protection laws, stressing the need to avoid these harmful practices to protect privacy and ensure fair competition.
EU: NOYB approved to bring collective actions in any EU Member State
On 2 December 2024, Austria NOYB (a not-for-profit organisation founded by privacy activist, Max Schrems) as a 'Qualified Entity' to bring collective enforcement action through the courts in any EU Member State. Earlier in the year, NOYB was also granted this status by the Irish Ministry for Justice in October 2024. Max Schrems has already announced his intention to "bring the first actions in 2025" and, with the organisation's greater leverage, we can expect to see a much higher volume of litigation brought against organisations throughout the EU.
Adtech and direct marketing
UK: ICO, FCA and TPR issued a joint statement for retail investment firms and pension providers
The joint statement, released on 15 November 2024, provides clarity on how to align regulatory communications with data protection laws, emphasising the provision of clear, timely, and neutral information to consumers. The statement distinguishes regulatory messages from direct marketing communications, the former of which may be sent without direct marketing permissions as long as they are factual and not promotional. In any event, organisations must ensure they still comply with the general data protection rules.
EU: Chair of the EDPB, Anu Talus, reacted to 'Consent or Pay' models
In a LinkedIn post, Anu expressed support for less intrusive adverts and welcomed a platform's announcement of a new free option with reduced profiling for advertising. The EDPB is currently developing broader guidelines on 'Consent or Pay' models, building upon its Opinion 08/2024 which focused on large online platforms.
UK: The ICO fined two companies a total of £290k for unlawful direct marketing communications
Two companies, based in Greater Manchester, have been fined a total of £290k for collectively making approximately 4.5 million nuisance calls to individuals who had opted out of receiving marketing calls. You can read the full details here.
AI and innovation
EU: European Commission ("EC") published a Q&A relating to the EU AI Act and an update on the General Purpose AI (“GPAI”) Code of Practice
The AI Office has published a Q&A to clarify various provisions of the EU AI Act, including the definition of a GPAI and various obligations imposed on providers, and also provided an update on the intended Code of Practice. Two draft Codes of Practice have now been published with a third expected for the week of 17 February 2025, before the final GPAI Code of Practice is issued. Click here to read the First Draft and Second Draft.
UK: The ICO responded to the consultation series on generative AI
The ICO published its response to the generative AI consultation series, in which it noted it had received 192 responses from organisations and 22 from members of the public. The ICO’s position on the purpose limitation, accuracy and controllership remained unchanged, but it did amend its stance on the legitimate interest as a lawful basis for web scraping to train generative AI models as well as engineering individual rights into generative AI models.
EU: EDPB released Opinion 28/2024 on personal data processing in the context of AI models
At the request of the Irish Data Protection Commission, the EDPB issued its Opinion on the processing of personal data within the development and deployment stages of AI models. Certain topics, such as special category data and automated decision-making, were excluded from the scope but the EDPB noted that its Opinion is non-exhaustive and is intended to serve as guidance. The Opinion clarifies the concept of an 'anonymous' AI system, provides a three-step assessment for relying on legitimate interests as a lawful basis and considers appropriate mitigating measures to balance an individual’s rights with a controller’s interests. The EDPB also outlined the discretionary power for Supervisory Authorities where there has been unlawful data retention or processing within AI models.
UK: ICO issued recommendations to AI developers and providers to protect job seekers’ information rights
Following its audit of several providers and developers of AI tools for recruitment purposes, the ICO has made almost 300 recommendations to improve the protection afforded to job seekers’ information rights. The ICO has also published its outcome report which identifies several concerns, including the lack of accuracy testing, the potential for discriminatory results, the lack of compliance with the data minimisation principle and confusion around whether an AI provider was a data controller or a data processor.
Cyber, breach and ransomware
EU: ESAs published statement on the application of DORA
The ESAs (including ESMA, EIOPA, and EBA) have issued a statement requiring financial organisations to have their DORA-compliant systems set up by 17 January 2025. They must also have their registers of ICT third-party service providers (“ICT TPSP”) contractual arrangements available for Supervisory Authorities by early 2025, who will then have to report them to the ESAs by 30 April 2025. In addition, ICT TPSPs that consider themselves to be ‘critical’ should also assess their compliance with DORA, with the first designation of ‘critical’ ICT TPSP expected to take place in the second half of 2025.
UK: ICO and the Department of Science Innovation and Technology (“DSIT”) published a new Privacy Enhancing Technologies (“PETs”) Cost-Benefit Awareness Tool
The ICO, in collaboration with DSIT’s Responsible Technology Adoption Unit, launched the PETs Cost-Benefit Awareness Tool on 7 November 2024. This tool includes a cost-benefit checklist to help organisations assess the costs and benefits of adopting PETs, such as homomorphic encryption and differential privacy, and also provides guidance on compliance costs and the mitigation of risk.
EU: Updates on the NIS 2 Directive
The European Union Agency for Cybersecurity has released a report entitled ‘NIS Investments 2024’, a cybersecurity policy assessment that aims to help policy makers assess the effectiveness of the EU’s cybersecurity framework and the influence brought by the NIS Directive. Key highlights include: 89% of organisations will require more cybersecurity staff to comply with NIS 2 and additional staff to comply with other cybersecurity legislation (such as DORA); and 90% of organisations expect an increase in cyberattacks in 2025.
In addition, the EC issued formal notices to almost all of the EU Member States for failing to transpose the NIS 2 Directive and/or the Critical Entities Resilience Directive by 17 October 2024. The effected Member States have two months to respond, complete the transition and notify the EC of the measures taken.
EU: EU Cyber Resilience Act (“CRA”) published in Official Journal of the EU
On 20 November 2024, the EU CRA was published in the Official Journal of the EU and subsequently took effect on 10 December 2024. The EU CRA governs the essential cybersecurity regulation for products with digital elements that are within the scope of the regulation, including security and vulnerability handling, obligations for manufacturers, importers and distributors, and reporting obligations for actively exploited vulnerabilities. Failure to comply with the provisions could mean importers and distributors of products with digital elements face fines of up to €15 million.
Most of the provisions of the EU CRA apply from 11 December 2027, apart from the reporting obligations of manufacturers (11 September 2026) and the provisions around notification of conformity assessment bodies (11 June 2026).
EU: ENISA published its report on EU cybersecurity
ENISA has published its report on the state of cybersecurity in the EU, which concludes a "substantial" cybersecurity threat level in the EU with EU entities being targeted directly by threat actors or exposed to data breaches through vulnerabilities. The ENISA has issued six recommendations, which include increasing the support given to EU institutions, bodies, agencies and national competent authorities, revising the EU Blueprint for coordinated response to large-scale cyber incidents, strengthening the EU cyber workforce, addressing supply chain security, enhancing understanding of sectorial specificities and needs and promoting a common high-level of cybersecurity awareness and hygiene.
Employment and Data Subject Rights
EU: CJEU Judgments
- Providing information to data subjects where personal data has been collected indirectly
The Case C-169/23 concerned the issuing of COVID-19 immunity certificates by the Hungarian Government and a subsequent complaint by a data subject that it had not provided a statement on the protection of personal data in relation to those certificates. The Hungarian Government argued that it was required by law to obtain this information from a third party and, therefore, was exempt under Article 14(5)(c) of the GDPR from providing this information.
The CJEU concluded that the exemption under Article 14(5)(c) of the GDPR applies to personal data that has been collected by the controller indirectly from a third party, regardless of whether the controller obtained this themselves or it has been self-generated in performance of its tasks. The CJEU also held that a Supervisory Authority is competent to verify whether national law appropriately protects a data subject’s legitimate interests, but noted that this does not expand to the assessment of the appropriateness of the security measures a controller is required to implement.
- Processing of employee data
In Case C-65/23, an employee sought compensation for the non-material damage they claimed to have suffered as a result of their employer processing their personal data contrary to an agreement. The agreement prohibited the use of a particular software for the processing of data for HR management purposes and restricted the types of personal data that could be transferred to the employer’s parent company in the US.
Article 88 of the GDPR describes how Member States may provide for more specific rules on the processing of employee data. The CJEU concluded that these rules must meet the requirements of Article 88(2) (regarding suitable and specific measures to safeguards the rights of data subjects), as well as Article 5 (Principles), Article 6(1) (Consent) and Article 9(2) (Special Category Data) of the GDPR. Where such rules are set via a collective agreement, a national court can still carry out a full judicial review despite the margin of discretion the parties have to determine whether the processing is “necessary”.
Data Transfers
EU: The European Consumer Organisation ("BEUC") published a position paper on improving cross-border GDPR enforcement for consumers
The BEUC's position paper sets out how it would intend to improve cross-border enforcement of the GDPR for consumers, recognising that "disproportionate hurdles" faced by consumers, consumer organisations and organisations representing them when lodging complaints with cross-border DPAs and the knock-on challenges these create. Key recommendations in the position paper include establishing time limits for lead and concerned authorities under the cross-border mechanism, guaranteeing complainants' right to be heard, simplifying the complaints and investigations process and enhancing authority co-operation.
UK: ICO published guidance to help organisations to share data responsibly whilst preventing scams and fraud
The guidance, which is aimed at private sector organisations across the digital economy (such as financial services, telecommunications and digital platforms), sets out several considerations to be had when sharing personal data to stop scams and fraudulent behaviour. Examples include conducting DPIAs, providing clear responsibilities of each controller in data sharing agreements, identifying a lawful basis for sharing the data, understanding the data protection principles and the rules around processing special category and criminal offence data, and ensuring policies and procedures are in place to enable data subjects to exercise their rights.
EU: The EDPB adopted a report on the first review of the EU-US Data Privacy Framework (“DPF”) and a statement on the recommendations on law enforcement data access
In the report, the EDPB has acknowledged the efforts of the US authorities and the EC to implement the DPF and has encouraged US authorities to develop more guidance to clarify the requirements for DPF-certified companies when they transfer personal data they have received from the EU. The EDPB has also recommended that the EC monitors the development US legislation regarding access to data by law enforcement, to ensure the rights and freedoms of EU individuals remain protected. The next review of the EU-US adequacy decision is expected to take place within the next three years.
Moreover, in June 2023 the Presidency of the Council and the EC launched the 'High-Level Group on Access to Data for Effective Law Enforcement' ("HLG") to improve the way in which law enforcement practitioners work, to ensure "the availability of effective law enforcement tools to fight crime and enhance public security". However, in its statement, the EDPB has raised concerns that some of the 42 recommendations of the HLG (for example, regarding data retention and data security) may be too intrusive and contravene human rights principles.
Public sector
UK: ICO published advice to local authorities facing financial restrictions
In its advice, the ICO has provided key tips to help local authorities meet their statutory obligations when dealing with Freedom of Information ("FOI") Requests and Data Subject Access Requests ("DSARs") whilst under resourcing and financial pressure. Examples include:
- Have organised file management practices that comply with appropriate retention policies;
- Anticipating increased volumes of requests (e.g. using the data from senior management reports);
- Have open internal communication to help deal with large volumes and establishing ownership of requests;
- Engage in early correspondence with third parties who have submitted DSARs to determine the level of response required;
- Be open and transparent with customers around the challenges faced and set realistic timeline for responses/alternative options to reduce delays;
- Understand customers' information needs with the aim of agreeing to reasonable searches to narrow the request and deploy efficient resources;
- Proactively publish BAU information;
- Share the ICO's open letter to senior leaders to improve internal compliance; and
- Appropriately train staff members on how to manage FOI requests and DSARs.
If you're struggling to keep up with the demand and need some cost-effective resource, we can help! Please do reach out to your usual DWF Data Protection & Cyber Security contact or any of the authors of this article.
UK: ICO publishes a statement on its public sector approach
The ICO has issued a statement following its review of the two-year trial of the public sector approach, which has shown that reprimands have proved to be an effective deterrent and have also resulted in public bodies making significant changes to improve their internal processes and procedures. However, wider public sector organisations were reported to have “limited awareness, which means we must do more to share best practice and lessons learned”. The ICO has proposed some updates to the public sector approach, including its scope and circumstances that will lead to a fine, and is inviting stakeholders to come forwards with their views. The consultation will remain open until 31 January 2025.
If you have any questions relating to this article, please reach out to our authors below.
Meet the Team
Kelly Marum
Kelly qualified in 2024 as a Solicitor in DWF’s Data Protection & Cyber Security Team in Manchester, following completion of the Solicitor Apprenticeship.
Kelly has supported clients across multiple areas of data protection, such as: data subject rights requests (including those made in different jurisdictions); data sharing agreements; data processing agreements; direct marketing activities; cookie compliance assessments; regulatory enforcement matters in respect of contraventions of the Privacy and Electronic Communications Regulations; and supporting DWF's Corporate team with due diligence projects from a data protection perspective.
Kelly has also spent 6 months seconded to a client where she predominantly assisted with improving their data protection compliance, including reviewing and updating cookie policies and privacy notices for their group companies across the UK and EU and advised stakeholders across the business with general data protection queries. Kelly is currently on a part-time secondment to a large financial technology company where she is supporting their privacy team with day-to-day activities, including third party supplier due diligence checks, developing internal compliance policies and reviewing and advising on data protection terms in contracts.
