Data Bytes 42: Your UK and European Data Privacy update for November 2023
06 December 2023
06 December 2023
Welcome to our November edition of Data Bytes, where the Ashurst UK and European Data Privacy and Cyber Security Team look to summarise the key privacy legal and policy developments of the previous month.
In the privacy world, November has become synonymous with a Eurostar trip to Brussels and two jam-packed days, avoiding the Brussels drizzle to connect and reconnect with privacy professionals in clients and competitors and the annual EU IAPP conference. This year was no exception, and if the queue for the cloakroom was indicative, it was the biggest conference we have ever been to, with over 3000 people in attendance. See the Ashurst data team's key learnings and takeaways in our Spotlight section below.
Team data at Ashurst is taking a well-earned break from Data Bytes over the coming weeks and will be back providing you with your byte sized updates for December and January at the end of January 2024. We wish everyone season's greetings and a happy new year in advance.
The Ashurst UK and European Data Privacy and Cyber Security Team
On 21 November 2023, the ICO announced it has warned some of the UK’s top websites they face enforcement action in relation to their use of cookies if they do not make changes to comply with data protection law. The ICO noted some of the websites do not give users fair choices over whether or not to be tracked for personalised advertising and in particular failed to make it as easy for users to "reject all" advertising cookies as it is to "accept all". The relevant organisations have 30 days to ensure their websites comply with the law and the ICO will provide an update in January with details of the companies who have failed to remediate their websites.
This warning serves as a wake-up call for all organisations who are using cookies on their websites particularly where they are used for targeted advertising purposes. Such cookies require explicit opt in consent from the user before they are set on a user's device. Many organisations seek to do this with a cookie banner which pops up when a user first enters the website and encourages a user to "accept all" or "click here for more information". It is this practice that the ICO is now focussing on, making the point that compelling users to navigate their way through various layers of notices, to opt out of cookies, does not meet the requirement of valid consent. Cookie compliance has not previously been a focus for enforcement from the ICO, but with it being very easy for the ICO to see whether organisations are compliant by simply visiting their website, the ICO may now view this as low-hanging fruit from an enforcement perspective. We recommend that organisations conduct a cookie compliance audit of their websites and apps where cookies and similar technologies are in use.
On 29 November 2023, the UK Data Protection and Digital Information Bill (no.2) had its third reading in the House of Commons following the Government's publication of over 120 tabled amendments to the bill on 24 November 2023.
Three of the more interesting amendments are:
The text of the Bill now stands at over 300 pages but despite its length and numbers of amendments, it is still expected to be on the statute book before the next general election.
Whilst the UK are seeking to move away from at least some of the restrictions in EU data protection law, through the UK Data Protection and Digital Information Bill, there is still much desire to continue to co-operate on the enforcement of applicable data protection laws at the regulator level. On 8 November 2023, the ICO and the European Data Protection Supervisor (EDPS) entered into a Memorandum of Understanding for Cooperation in the Application of Laws Protecting Personal Data (the "MoU"). The EDPS is the independent supervisory authority responsible for monitoring data protection in relation to EU institutions and bodies, as well as advising on policies and legislation that affect privacy. The MoU establishes a framework for cooperation in relation to the enforcement of applicable data protection and privacy laws as well as parallel or joint investigations. The MoU is intended to deepen existing relations, and achieve broader collaboration between the regulators which is intended to reduce regulatory divergence in the protection of personal data.
On 17 November 2023, the ICO announced it is seeking permission to appeal the First-tier Tribunal's decision which allowed the appeal from Clearview AI Inc (Clearview) against the ICO's enforcement notice and monetary penalty notice issued in May 2022 for breach of the UK data protection legislation. Details of the tribunals decision can be found in our October edition of Data Bytes. The ICO noted that it disagrees with the Tribunal's finding that Clearview's data processing fell outside the territorial scope of UK data protection law.
You'll recall in the Spotlight of our October edition on AI Governance and Privacy: Annual Roundtable that 'time was running out for the current UK government to adopt any specific AI legislation given that the final King's speech planned before the next general election will take place in November'. While the UK government remains steadfast in its approach to a 'non-statutory framework', a Private Members' Bill (starting in the House of Lords) entitled 'Artificial Intelligence (Regulation) Bill', was introduced to the UK Parliament by Lord Holmes of Richmond (a member of the House of Lords) and had its first reading last week on 22 November 2023.
The Bill seeks to:
Private Members' Bills are introduced by MPs and Peers who are not government ministers. The government's position on this bill is not clear and the success rate for such bills is very low. However, given the public interest in is subject matter and the starkly contrasting approach the EU is taking, it is still a potential prompt for the government to consider legislative action.
The Data Act has run through the final formal approval processes of the European Parliament and the Council and will be published in the Official Journal, triggering the 20 months sunrise period until takes effect in Q3 2025. Since the inception of the GDPR, no other piece of European legislation of the Digital Economy will have a stronger impact on how businesses, public and private institutions will need to organise and further develop their data strategy and data governance structures. For the first time ever, the EU is putting out a horizontal regulation on the data economy applying across all sectors that is untested and unprecedented in terms of what it intends to achieve.
Users of connected products and related services (consumers as much as businesses) will have the right to request data holders (typically the manufacturers or operators of connected devices, which can be anything from handheld devices to cars, aircrafts, machines on factory shopfloors etc.) to have access to the "readily available" raw data and meta data that those IoT devices generate (IoT data), and to share that data with third parties. The third party recipients will able use that data for new service and product offerings, as long as they do not create competitive products in relation to those of the data holder, nor that such data falls into the hands of "gatekeepers" under the Digital Markets Act. The Data Act sets out detailed rules on data access and data sharing, including fair and non-discriminatory contract terms the data holder must observe, as well as a reasonable compensation for the data holder. The latter is limited to providing cost coverage plus a reasonable margin, whereas the Data Act will not support a data monetization model as such.
The Data Act sets narrow boundaries on a possible trade secrets defence by the data holder. As a rule, a data holder will need to share IoT data even where the information in the data contains trade secrets. The data holder will have the right to refuse a data access and sharing request in highly exceptional cases only, i.e. where the data holder would suffer significant damages despite implementing suitable protective measures with the user or the third party data recipient.
The Data Act also provides for a general "cloud-switching right" (which is unrelated to connected products), that gives the customer the right to instruct a cloud service provider to hand over the customer's data to a competitor cloud provider within 2 months against a largely cost covering compensation (egress charge). Further, the Data Act contains provision on using smart contracts for effecting data sharing transactions.
Where the IoT data represents personal data of the users, data holders and third party recipients will need to comply with all applicable requirements of the GDPR. The Data Act neither modifies, replaces nor extends in any form the provisions of the GDPR. Some uncertainty may arise however, regarding how the data portability right (Art. 20 GDPR) aligns with the more ample data sharing right under the Data Act as we discussed in our October edition.
The Data Act sets out an innovative expedited dispute resolution mechanism. EU member states will institute dispute settlement bodies that are competent to adjudicate within 90 days on disputes regarding data access and sharing rights, as well as cloud switching rights. The dispute settlement awards are binding on the parties, provided the parties have declared to accept such awards as binding. Otherwise, parties remain free to pursue law enforcement through ordinary courts or other dispute settlement fora. The Data Act will institute supervisory authorities which will have the authority to enforce compliance with the Data Act, including through fines similar to the framework stipulated by the GDPR (reaching up to 2-4% of annual turn-over of entities in breach of their obligations). The Data Act also foresees the implementation of a European Data Innovation Board to develop guidelines and promote the innovative approach of the Data Act.
The significance and impact of the Data Act cannot be overestimated. It is the cornerstone of the European Digital Strategy and Data Strategy. The data access and data sharing rights lay the grounds for unleashing the potential of data and facilitating the circulation of data. Any company will need to reconsider its data strategy, identify its role as a data holder or a user, and/or where it could see itself as a third party data recipient that leverages the data access rights of users. Given the opportunities laid out in the Data Act, the issue is far more strategic in nature. It goes beyond a thorough compliance exercise such as the GDPR and requires the attention of executive decision makers in any organisation.
Given the horizontal regulatory nature of the Data Act, further sector specific regulations on data access and data sharing rights are likely to follow soon. The Financial Data Access Regulation (first draft issued in June 2023) is already under debate.
Ashurst has set out a series of webinars, articles, and other educational materials such as workshops to raise awareness and help businesses start their data strategy process. The 20 months transition period is short, considering that the preparations for the Data Act will easily reach a dimension that compares and possibly exceeds that which companies have experienced when adapting to the GDPR.
On 9 November 2023, the Court of Justice of the European Union ("CJEU") ruled that vehicle identification numbers (VIN) do not qualify per se as personal data. Rather, the test is to be made on a case by case basis, considering the reasonable means to associate the VIN with a specific person. However, the CJEU does not lay down practical rules as to when a means can reasonably be used to identify the owner of the vehicle. The CJEU's preliminary ruling followed questions raised by Regional Court of Cologne (Landgericht Köln), including whether the defendant Scania CV AB would be obliged to provide vehicle OBD and vehicle repair and maintenance information under Art. 61 para. 1, 2 EU Type Approval Regulation 2018/858 to independent operators represented by the spare part retailer association (Gesamtverband Autoteile-Handel e.V) and whether such a data transmission would be covered by the GDPR legal basis for processing, which is necessary for compliance with a legal obligation to which the controller is subject to (Art. 6 para. 1 lit. c GDPR).
With its ruling, the CJEU has strengthened the rights of independent operators and has ruled in favour of competition in the automotive sector. Vehicle manufactures (OEMs) do not necessarily have to provide an automated database interface which enables machine controlled search queries. However, they must provide technical information in a format allowing the recipient to conduct further electronic processing directly.
With respect to data protection related restrictions of the transmission, the CJEU corroborates its view on the question on information about identifiable natural persons based on the VIN. The CJEU confirms that the VIN is personal data only if the independent operators "reasonably have at their disposal the means enabling them to link a VIN to an identified or identifiable natural person".. In its reasoning, the CJEU relies on well-known principles from the Breyer judgment stating that "account should be taken of all the means likely reasonably to be used either by the controller, within the meaning of Article 4(7) of the GDPR, or by any other person, to identify that person, without, however, requiring that all the information enabling that person to be identified should be in the hands of a single entity". The CJEU leaves the further assessment to the Regional Court of Cologne. According to the CJEU, if the VIN is considered personal data by the court, the obligation to provide vehicle data under Art. 61 para. 1, 2 EU 2018/858 represents a legal basis under Art. 6 para. 1 lit. c GDPR (compliance with a legal obligation).
The CJEU's ruling is a significant step ahead in "demystifying" the common belief that the VIN always and under all circumstances would represent personal data. The CJEU will soon have further opportunity to elaborate on this issue, which is highly important for the entire automotive industry, including suppliers and after-market sales. In its upcoming decision Single Resolution Board (SRB) vs. European Data Protection Supervisor (EDPS) the CJEU will explicitly address whether it is just for the controller or rather sufficient for any third party to have the means to link the VIN to an identifiable person, in order to qualify the VIN as personal data.
On 14 November 2023, the European Data Protection Board ("EDPB") has adopted its Guidelines 2/2023 on the Technical Scope of Art. 5 para. 3 ePrivacy Directive ("ePD"). Art. 5 para. 3 ePD is commonly known for establishing cookie notice and cookie consent requirements in the EU. However, the provision has a much broader scope. To clarify the technical scope, the EDPB carries out an analysis of the criteria of Art. 5 para. 3, namely: (1) information, (2) terminal equipment, (3) electronic communication network, (4) gaining access and (5) storage.
(1) information: With reference to recital 24 ePD, the EDPB outlines the purpose of Art. 5 para. 3 ePD to protect the private sphere of the user. Thus, "the notion of information includes both non-personal data and personal data, regardless of how this data was stored and by whom". Unlike the GDPR, the ePD does not protect personal data, but rather the digital sphere. Analogous to national member state law that protect a physical sphere, such as the home, the ePD protects the private storage space of a cell phone.
(2) terminal equipment: The EDPB claims that a terminal equipment can be comprised of any number of individual pieces of hardware which form the terminal equipment. It may but does not need to take the form of a physically enclosed device hosting all display, processing, storage and peripheral hardware, for instance smartphones, laptops, connected cars or connected TVs, smart glasses. A device that only conveys information without performing any modifications to that information would not be considered a terminal equipment.
(3) electronic communication network: The EDPB refers to the definition of electronic communication networks in the European Electronic Communications Code which is neutral with respect to transmission technologies. It also does not depend on the public or private nature of the infrastructure nor the way the network is deployed or managed. Additionally, the definition of network does not limit the number of terminal equipment present in the network at any time.
(4) gaining access: The EDPB highlights that the ePD aims to protect the confidentiality of communications and the integrity of devices as laid out in recital 24. Gaining access takes place, if such confidentiality and integrity is violated, for instance if a person gains access to information stored on a mobile phone without the knowledge and consent of the device owner. The EDPB stresses that legal persons are also safeguarded by the ePD and that gaining access and storage do not need to be cumulatively present for Art. 5 para. 3 ePD to apply.
(5) storage: Storage refers to placing information on a physical electronic storage medium that is part of a user or subscriber's terminal equipment. The term covers both, storing through direct access by another party on the user's phone or by instructing software on the terminal equipment to generate specific information. The ePD does not provide any limit of time or amount of information that information must persist on a storage medium to be counted as stored. Additionally storage is not limited to memory or drives, It can also involve magnetic tape or central processing units (CPU).
On 22 November 2023, the Italian data protection authority ("Garante") has announced an investigation into data collection practices for algorithm training. The investigation will cover public and private entities operating as data controllers and established in Italy or offering services in Italy that make personal data freely available online. The Garante aims to "verify the adoption of suitable security measures to prevent the massive collection (webscraping) of personal data". The Garante has opened a 60-day public consultation on potential security measures.
On 12 October 2023, the CJEU gave its first interim ruling concerning the legal claim filed by a French Member of Parliament against the Data Privacy Framework ("DPF") agreed between the US and the EU last July. The claim was based in particular on the absence of effective remedy, the breach of minimisation and proportionality principles due to US surveillance authorities and the unavailability of the agreement in official EU languages other than English.
The Court rejected the claim for insufficient grounds as there was no urgency to grant an interim relief. As a result, the agreement is still in force, until further litigation – which is likely to occur soon.
Since the entry into force on 10 July 2023, US-based organisations under the jurisdiction of the Fair Trade Commission ("FTC") or the Department of Justice ("DOJ") can self-certify to the DPF Program online. To be listed as a compliant organisation regarding the DPF principles, an organisation must submit some information to the US Department of Commerce's International Trade Administration ("ITA"). This information includes its compliant privacy policy, the contact who handles complaint or data access request, the existence of an independent recourse mechanism for each type of personal data where appropriate and the accurate location of this privacy policy (that has to be made publicly available).
Attempts to find an agreement allowing the US to benefit from Article 45 of the RGPD have been numerous but always invalidated by the CJEU. This article authorises the transfer of personal data outside the EU territory, provided that the European Commission considers that the third-country ensures an adequate level of protection. The Data Privacy Framework is in fact the third version of the Safe Harbour Agreement negotiated between the US and the EU, invalidated in 2015 by the CJEU. A second attempt, the Privacy Shield, also met the same fate in 2020.
What do these rulings have in common? The instigator of both challenges, Austrian Max Schrems, a fervent defender of RGPD compliance, at the head of the non-profit organisation NOYB, None Of Your Business. Having left his name to the CJEU's two previous rulings, he has already expressed his views on the alleged inadequacies of this latest agreement.
In his opinion, the possibility for US intelligence agencies to access transferred data if "necessary and proportionate" is inadequate. He believes that the interpretation of these two conditions is too permissive without further US legislation to regulate their intelligence services. In his view, European standards cannot be met until FISA 702 (Foreign Intelligence Service Act) is amended to provide reasonable protection for the personal data of non-American citizens.
He also stressed that the new American authority (Data Protection Review Court), that is supposed to enable citizens to complain about breaches of their personal data processing, lacks the independence needed to comply with European standards. Finally, the absence in the DPF of provisions to regulate the transfer of data from the US to third countries is a cause for concern for the Austrian, who claims that this constitutes a significant risk to the security of personal data coming from the EU in case of onward transfers.
NOYB has already expressed its determination to challenge the new agreement. The CJEU will then have the option of either suspending the agreement for the duration of the proceedings, or maintaining it until its decision. In comparison, the Court did not use its suspensive power during the previous cases. NOYB request will be submitted within the next few months, according to the organisation, by early 2024 at the latest.
Meanwhile, transfer of personal data through the Atlantic remains subject to uncertainty, but solutions still exist. Until there is more legal certainty on the DPF, some companies prefer to use Standard Contractual Clauses (SCCs) incorporating a Transfer Impact Assessment (TIA) in order to ensure business continuity.
This month we attended the IAPP DPC 2023 in Brussels with over 3000 privacy professionals. It was a great opportunity to catch up with clients and take part in some insightful discussions on the latest data protection issues. Our top takeaways on AI governance, data retention and upcoming EU laws are summarised below.
Unsurprisingly given the slue of developments and media stories this year, artificial intelligence featured heavily in numerous sessions. It was specifically AI governance that formed the focus of the debates and it was clear that many organisations are grappling with the question of how in the absence of hard law they can demonstrate their governance of AI to regulators, employees and clients. This is particularly relevant from a UK perspective given that the Government has confirmed recently that it has no plans to introduce new AI legislation "in the short term" (ie. ahead of the next general election).
As we noted in our recent client roundtable on AI Governance, existing data protection compliance and risk frameworks already established by many organisations can be adapted and updated to take account of AI governance principles. Several organisations were specifically seeking to adapt the GDPR concept of privacy-by-design to cover "responsible AI-by-design" and design AI impact assessments leveraging existing data protection impact assessments.
Stepping away from the AI debates, one topic of discussion which caught our attention was data retention. We heard that many organisations are facing difficult practical dilemmas about data retention and in particular how to successfully balance the need to delete data against legal and business requirements to keep hold of information. Some of the most acute challenges relate to dealing with unstructured data as well as the extensive and varying local law requirements which may impact data sitting in the same system. We have been working on a number of projects recently with our Ashurst Risk Advisory colleagues to address these challenges and have found the answer can lie in establishing unified and simplified rules which are practically actionable. In addition, an organisation's broader data governance framework often holds the key to enabling an effective data retention programme.
The extensive list of upcoming EU data laws was summarised by one panel as an "alphabet soup". There was discussion of the Digital Services Act (DSA), Digital Markets Act (DMA), NIS2, AI Act as well as the Data Act. However, one conspicuous omission from the panel discussion was the e-Privacy regulation. A representative from the EU Commission was not able to give any meaningful update on status of the e-Privacy regulation when a question was raised by a member of the audience.
The closing session was hosted by Commissioner Reynders and it was apparent that the EU Commission is not only focussed on upcoming legislation like the AI Act and Data Act but also on several important GDPR related reviews. A review of the GDPR itself is due in 2024 as well as planned periodic reviews of existing adequacy decisions including the UK.
We will be keeping track of these developments over the coming months and plan to share further insights from the team at our end of year privacy round-up event scheduled for 1 February. Register your interest in attending here.
Authors: Rhiannon Webster, Partner; Andreas Mauroschat, Partner; Alexander Duisberg, Partner; Nicolas Quoy, Partner; Shehana Cameron-Perera, Senior Associate; Antoine Boullet, Senior Associate, Tom Brookes, Associate; David Plischka, Associate; Prithivi Venkatesh, Trainee Solicitor; Claude Fuhrer, Trainee Solicitor.
The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
Readers should take legal advice before applying it to specific issues or transactions.