Data Protection News and Trends

Welcome back to the fifth edition of our Data Protection News and Trends. Since our last edition in March this year, the world of data protection has seen numerous developments, resulting in additional compliance challenges for organisations. Notably, the UK’s Data Protection and Digital Information Bill was recently shelved as a result of the calling of an early General Election.

In this edition, we provide an overview of these key updates from the past few months:

Latest updates

The Information Commissioner’s Office (ICO) remains a highly active regulator. As usual, we have summarised recent trends in the ICO’s enforcement actions, outlining its focus areas (such as children’s privacy, direct marketing, and advertising technologies).

Generative AI’ is the new buzzword, which has been raising a number of questions among our clients and peers. In an effort to address these, we also cover the ICO’s new series of consultations on generative AI. In this edition, we focus on consultations regarding the applicable lawful basis when scraping web data for AI training purposes and the implications of the purpose limitation principle.

The risk of financial penalties continues to be one of the key concerns for organisations and we have included an overview of the ICO’s recent guidance on its process for issuing and calculating fines, aiming to provide greater transparency about how the ICO exercises its fining powers.

There have also been significant developments in the EU. The much-anticipated EU AI Act has finally been adopted, ushering the EU into a historic new era of AI regulation. While the act itself is quite detailed, we have tried to distil it and offer you some of its key takeaways that we thought may be useful for you.

Sign up for Data Protection News and Trends

Stay informed and secure with our Data Protection newsletter. Subscribe below to receive the latest updates, insights, and best practices in safeguarding your data and privacy. Don't miss out on essential tips and industry news to keep your information safe.

Subscribe


Empty heading

The EU recently adopted the Data Act, creating a new chapter in the block’s data governance approach. This article overviews the Data Act’s key provisions and its implications for businesses and consumers. 

Read more

Read an overview of the ICO’s enforcement actions from the last few months. We spotlight noteworthy trends across both private and public sector organisations and how they may affect your organisation. 

Read more

The UK Parliament passed the Online Safety Act, which represents a major shift in regulating the use of the internet. The act seeks to control harmful online content to enhance the safety of UK internet users. 

Read more

The UK’s data protection reform draws nearer as the Data Protection and Digital Information Bill no. 2 continues to move its way through the parliamentary procedures. The bill proposes a number of changes for UK-based organisations, seeking to overhaul the existing data protection regime in several ways. 

Read more

In this update, we provide a refresher on what cookies and similar technologies are and review the ICO’s recent communication, warning organisations to ensure they are continuing to consider data protection law when using cookies or similar technologies to advertise to data subjects.  

Read more

The Irish Data Protection Commissioner (DPC) imposed a €1.2 billion fine on Meta Ireland for the failure to comply with the international data transfer rules contained in Chapter V of the GDPR. The decision provided clarity on important issues from standard contractual clauses to transfer impact assessments and Article 49 derogations and serves as a reminder of the importance of complying with international data transfer requirements.

Read more

The European Commission proposed the first-of-its-kind AI regulatory framework for the EU. The proposal, in the form of the draft AI Act, follows a risk-based approach: AI systems will be evaluated and categorised based on the level of risk they present to users, which will also determine the stringency of applicable regulatory requirements.

Read more

The last quarter saw significant developments in the international data transfer landscape. The EU-US Data Privacy Framework was implemented over the summer, paving the way for free flows of data between the jurisdictions. It was recently followed by the UK-US Data Bridge, an extension to the EU-US framework, allowing UK organisations to share data freely with US organisations that have self-certified with the framework.

Read more

In this update, we review ICO’s enforcement action in the last quarter, its areas of focus and/or concern. We highlight some of the key trends we noticed with respect to private and public sector organisations alike and also touch upon why this remains significant for your organisation. 

Read more.

In a historic move, the Irish Data Protection Commission (DPC) imposed a €345 million fine on TikTok Technology Limited (‘TikTok’) in September 2023. This decision arises from a TikTok breach of GDPR regulations, particularly concerning children's data. This fine follows a previous £12.7 million penalty by the UK's Information Commissioner. The DPC's in-depth investigation unveiled several significant findings, including public child profiles, security breaches, lack of transparency, and the use of 'dark patterns.' TikTok faces a substantial challenge to bring its practices in line with the law within three months, while maintaining their strong disagreement with the decision.

Read more

The ICO has a range of enforcement powers at its disposal, which can be used in the event of non-compliance with UK data protection regulation. In this update, we have analysed recent ICO enforcement action from October last year up to and including March this year, to identify any trends, areas of ICO focus and/or concern, and to highlight why this may be significant for your organisation.

Read more

Following the public consultation, in February 2023 the European Data Protection Board (EDPB) published finalised guidelines on the interplay between the territorial scope and GDPR’s international data transfer provisions. The guidelines set out a three-pronged approach for assessing whether a processing operation qualifies as an international transfer of personal data and provides illustrative examples of some of the most common international data transfer cases. UK businesses with an exposure to international data transfers caught by the EU GDPR should consider reviewing their arrangements in light of this document.

Read more

On March 15, 2023, the ICO updated its AI and Data Protection Guidance in response to the UK industry's request for clarity on AI fairness requirements. In this newsletter, we explore the updated AI Guidance, which will be an important starting point for any UK-based organisation’s data protection compliance journey when considering implementing AI solutions. We provide an overview of the key changes to the guidance, with a particular focus on the accountability and governance considerations in AI, the meaning of “Transparency”, “Lawfulness,” and “Fairness” in AI, and the highlighting of the key concepts to consider when implementing AI solutions.

Read more

In 2022, the UK announced a possible fine of £27m against TikTok for processing children's personal data without appropriate parental consent and failing to comply with the transparency principle and processing special category data without an appropriate lawful basis.

Read more

There were two key developments for international data transfers this year; the newly proposed data transfer framework between the EU and the US and the ICO’s new transfer risk assessment (TRA) tool and guidance.

In October 2022, the White House published an executive order implementing the EU-US Data Privacy Framework (DPF) into the US law. The EU Commission has initiated the process to adopt a final adequacy decision which is likely to take 6 months. While the decision does not directly affect UK-based organisations, the UK is likely to follow a similar approach so they should be aware of the outcome.

Read more

The ICO has released new guidance on direct marketing using electronic mail which explains the rules under the Privacy and Electronic Communications Regulations 2003 (PECR) and how companies should comply including by using consent and soft opt-in mechanisms.

Read more

If you have any queries or would like further information, please visit our data protection services section or Christopher Beveridge.
 

Related Insights