Legal development

Data Bytes 43: Your UK and European Data Privacy update for December 2023 and January 2024

Triangular Colorbond profiles

    Welcome to your first Data Bytes of 2024, where the Ashurst UK and European Data Privacy and Cyber Security team look to summarise the key privacy legal and policy developments of the previous month. 

    In a bumper issue covering December and January we also report on our annual data protection round-up event which we held at our London office on 1 February.  Over 60 clients were in attendance to hear our review of the key data protection and privacy developments from the UK and EU in the past 12 months as well as our predictions for the year ahead. See our insights in the spotlight section below. Get your byte sized digest here.

    The Ashurst UK and European Data Privacy and Cyber Security Team 

    UK Developments

    1. ICO issues update on cookie warnings 

    The ICO issued on 31 January 2024, an update in relation to its cookie warning activities which we previously reported on in November 2023.  In this latest update, the ICO is encouraging organisations to take proactive steps to ensure their use of advertising cookies on websites is compliant with the law.  The ICO revealed that it sent warning letters in November to 53 of the UK's top 100 websites and that it is already preparing to write to the next 100 websites.  

    Given the current level of focus by the ICO on cookie compliance, we recommend that organisations prioritise audits of their websites to understand what cookies are being used, particularly for advertising purposes, and check that appropriate consent is obtained where necessary. 

    2. ICO launches consultation series on generative AI

    The ICO launched on 15 January 2024, a consultation series examining how aspects of UK data protection law should apply to the development and use of generative AI.  The consultation follows a blog post published last year where the ICO set out key questions concerning generative AI.  The first chapter of the consultation series focusses on appropriate lawful basis for training generative AI models on personal data scraped from the internet. 

    The ICO appears to be taking a pragmatic approach to this topic noting that legitimate interest is likely to the be the lawful basis relied on and recognising that web scraping is likely to be necessary for training these models until future technological developments offer novel alternatives.  Interested stakeholders can provide responses to the consultation until 1 March 2024.  

    3. ICO fines Hello Fresh for spam texts and emails

    The ICO announced on 12 January 2024 that it had imposed a fine of £140,000 against food delivery company HelloFresh in connection with the company's breach of the Privacy and Electronic Communications (EC Directive) 2003 (PECR) following 14 complaints were made directly to the regulator, and another 8,729 were made to the 7726 spam message reporting service. 

    Hello Fresh's consent statement was one of the key areas of non-compliance identified by the ICO. In particular, the ICO found that the statement lacked specificity by failing to mention that SMS direct marketing messages would be sent and was bundled together with an age confirmation.  The ICO was also critical of the fact that some customers were continuing to receive marketing messages 24 months after terminating their subscription with the company.  This enforcement action is another reminder of the ICO's focus on non-compliance with direct marketing laws and the need for precise drafting of consent notices. 

    4. ICO Publishes Response to UK Data Protection and Digital Information Bill

    On 18 December 2023, the ICO published its response to changes made to the UK Data Protection and Digital Information Bill (No.2) (the Bill) at the House of Commons Committee Stage.  The changes introduced by the Government included: (i) further safeguards to the independence of the ICO; (ii) extension to 72 hours of the reporting period for personal data breaches under the Privacy and Electronic Communications Regulations; and (iii) new powers to require personal data from third parties, including financial services providers, to support UK government efforts to reduce benefit fraud.

    The Commissioner noted that overall he supported the bill despite expressing concerns about the lack of appropriate safeguards around the proposed powers to obtain benefits information.  The Bill is currently at the committee stage in the House of Lords and still needs to undergo a third reading before being passed into law. 

    5. ICO releases two new pieces of employment guidance for consultation

    On 12 December 2023, the ICO announced that it is producing an online resource with guidance on employment practices and data protection. As part of this new resource, it released two new pieces of draft guidance for public consultation – one focusing on collecting and keeping employment records and the other on recruitment and selection of candidates.

    The keeping employment records guidance provides some detailed considerations of how employers might share data as part of corporate transactions, including where information is requested outside of the TUPE regulations. There is some particularly helpful information about when an LIA might be required.

    The recruitment draft guidance specifically addresses the use of AI in an employment context. In particular, the guidance suggests that as "good practice" the overall decision about whether to recruit someone is made by a human. It also provides links to key considerations around use of AI including algorithmic fairness and issues of bias.

    Both consultations close on 5 March 2024.

    6. ICO reprimands Bank of Ireland for maintaining inaccurate customer account data 

    The ICO issued on 15 December 2023, a reprimand to the Bank of Ireland ("BoI") for providing inaccurate outstanding balance records to credit reference agencies ("CRA"), affecting 3,284 BoI customers between 2018 to 2020. 

    The ICO clarified that the incident was not a personal data breach as defined in the UK GDPR and stated that due to the various factors which feed into a credit score determination that it was not possible to clearly quantify the potential harm caused to affected customers.  However, the ICO believed it was reasonable to assume that some negative customer impact would have occurred due to this incorrect reporting which could have led to unfair refusal of credit for mortgages, loans or other credit products. This case highlights the need for businesses to have sufficient risk management and oversight measures in place and to undertake assurance reviews to ensure accurate personal data in maintained and adjusted based on the risk profile of each of its business activities. 

    7. ICO issues UK BCR Addendum for use with approved EU BCRs. 

    The ICO published on 19 December 2023, an addendum that can be used as an appropriate safeguard for making restricted transfers under the UK GDPR when used by organisations with approved EU Binding Corporate Rules (BCRs).  The addendum is intended to provide a streamlined BCR process and remove duplication of documentation for organisations who already have EU BCRs.  The ICO also at the same time released guidance which supports organisations with the process for applying for a UK BCR, completing the addendum and on-going obligations. 

    8. ICO released revised guidance on UK-US TRAs

    On 6 December 2023, the ICO published revised guidance on transfers to a recipient in the US using the Article 46 transfer mechanism. The revised guidance clarifies that, as part of the transfer risk assessment ("TRA"), an organisation may rely on the published analysis from the Department for Science, Innovations and Technology ("DSIT"). This was the analysis produced by the DSIT in connection with the adequacy regulations for the UK Extension of the EU-US Data Privacy Framework ("DPF") and the ability to rely on the analysis will substantially simplify and speed-up the completion of relevant TRAs by organisations. 

    It is important to note the guidance above, is only applicable where the personal data recipient in the US is not an active participant in the UK extension to the EU-US data privacy framework ("DPF").  For transfers to US organisations participating in the DPF, no TRA or Article 46 "appropriate safeguards" (such as standard contractual clauses) are required. 

    EU developments 

    1. Political agreement on the AI Act 

    On 11 December 2023, the European Parliament and the European Council  reached  political agreement on the European Artificial Intelligence Act ("AI Act"). The next steps are now to consolidate and edit the final wording, the confirmation of the final text by the European Council and the European Parliament and publication in the Official Journal. The AI Act provides a sunrise period of 24 months from that date, which is expected for the second quarter of 2024. 

    For further details click here.

    2. Data Act enters into force

    On 11 January, the Data Act entered into force. The individual chapters of the Act will apply in stages from 12 September 2025 until full application on 12 September 2027. A large part of the Act will apply from 12 September 2025, including the right for business users and consumers to access and share data from IoT devices. The regulations will initially apply to data holders and users in regard to IoT data from connected products placed on the market after 12 September 2025. 

    For further details click here.

    3. CJEU considers credit score an automated individual decision under the GDPR

    On 7 December 2023, the Court of Justice of the European Union ("CJEU") issued two landmark judgments in proceedings against the German Credit Reference Agency SCHUFA (C-26/22 and C-64/22) which limit the retention period for credit reporting agencies, confirm the application of erasure in such credit reporting cases, consider who in a chain of organisations is making an automated decision and provide more certainty on the scope judicial review of DPA decisions.

    Of particular interest to data protection practitioners, is the consideration of whether SCHUFA, the credit reference agency was making an automated decision and therefore triggering the more onerous requirements of Art 22 GDPR.  SCHUFA had argued that in producing the credit score on an individual, it was only engaged in preparatory acts and any decision would be taken by the lender. However the CJEU recognised that if this were the case, an individual would not have a right of access against either of the parties to understand the logic behind the automated decision making. Following SCHUFA's argument an individual could not gain the information from SCHUFA, as they were not making a decision and could not gain the information from the lender, as they did not have the information about the automated decision making.

    The CJEU held that this gap of legal protection and the missing right of access contradict the purpose of Art. 22 GDPR to protect the data subjects against significant effects of automated processing on their privacy rights and freedoms.

    For further details click here.

    4. Two interesting cases on non-material damage under the GDPR

    There have been two interesting cases in the last few months on the scope of non-material damages under the GDPR. Article 82 of the GDPR makes it clear that individuals can claim for material damages (out of pocket expenses) as well as non-material damages (emotional damage). How serious the emotional damage needs to be is a much discussed area of law and it took 5 years from the GDPR coming into full force and effect for an EU case to consider it in any detail.  In May 2023, in Österreichische Post" (C-300/21) the CJEU ruled that the right to compensation is not limited to non-material damage that reaches a certain threshold of seriousness. 

    Two cases at the end of last year have seen this considered further: The CJEU issued its judgment in the case of "VB v. Natsionalna agentsia za prihodite" (Bulgarian National Revenue Agency) (C 340/21) where it concluded that individual's fear of their personal data being misused by third parties after publication without its consent, in itself, can be recognised as non-material damage. In this context, the national court must examine whether the fear can be considered "well founded" in the specific circumstances of the data subject.

    In contrast On 21 December 2023 the regional labour court of Düsseldorf ("LAG Düsseldorf") reduced scope for (non-material) damages (Art. 82 GDPR) (judgement of 28 November 2023 - 3 Sa 285/23) by ruling that a breach of the data subject's right of access (Art. 15 GDPR) does not justify a claim for (non-material) damages (Art. 82 GDPR). The high standard for non-material damages claim established by the LAG Düsseldorf is still in line with recent CJEU case law. In Österreichische Post" the CJEU had clarified that the affected person must have actually suffered damage as result of the breach. A mere violation of the GDPR does not suffice.

    For further details click here.

    News from France

    Meanwhile in France, the CNIL has launched a public consultation on its Transfer Impact Assessment guidance[1] outlining a 6 step process for conducting assessments of data transfers. For further information click here.

    Also, the CNIL has fined AMAZON FRANCE LOGISTIQUE €32 million for implementing an excessively intrusive system to monitor employee activity and performance, as well as for deploying a video surveillance system that lacked adequate information disclosure and security measures. Employees were given a scanner to document the performance of tasks assigned to them in real time. 

    For further information click here.

    Spotlight on our annual data protection round up in London

    On 1 February we hosted our annual data protection round-up event at our London office.  Over 60 clients were in attendance to hear our review of the key data protection and privacy developments from the UK and EU in the past 12 months as well as our predictions for the year ahead.   

    We have summarised below a selection of sound bites from Ashurst's multi-disciplinary data team who spoke at the event. If you would like further details on any of the points discussed below, please get in touch. 

    Enforcement 

    From an enforcement perspective, we noted that the most significant UK and EU decisions in the past year focussed on issues which struck at the heart of the data controllers' business models.

    [1] Transfer Impact Assessment (TIA): the CNIL Consults You on a Draft Guide | CNIL

    Organisations were forced to stop transferring data, to change their lawful basis for processing data and in some cases to stop processing data completely.   

    We predicted this trend will continue in 2024 meaning that data protection compliance will not only be integral to limit risks of regulatory fines but to ensure businesses can continue operating without having to change core business strategies and operations.  

    Digital Legislation 

    Legislative change has continued to sweep across the EU during 2023.  With the passage of the AI Act in the EU in December, there are now hard fault lines emerging between the UK's "non-statutory" approach to regulating AI and the rest of the Europe.  However, we noted it will still be a number of years before the AI Act's transition periods end and full compliance is required.

    We explained that in the meantime it will be data protection regulations in both the EU and the UK (primarily in the form of the EU GDPR and UK GDPR) which will continue to be used to police the development and use of AI systems.  As a result, we noted that privacy professionals will remain integral to their organisations' compliant roll-out of AI over the next year.

    Cyber security 

    Directors' duties have been governed by same legislation in the UK for the past 18 years, however, rapid change is currently underway with regards to how these duties need to be effectively discharged in a cyber context.  Directors are now expected to have sufficient cyber knowledge and/or have access to external experts so they can keep up with the latest threat landscape and demonstrate effective risk management. 

    A key change on the horizon this year, is a new cyber governance code which the UK Government launched a "call for views" on last month. We noted the proposed code will be designed to ensure directors keep-up with these increasing cyber-related expectations.  

    Litigation 

    We discussed continued efforts by a number of claimants in 2023 to find an English court mechanism for small, low-value, mass claims relating to data protection and privacy. We expect there to be continued efforts by claimants in 2024 to seek inventive ways to group together and bring collective actions.  

    This is likely to be facilitated by litigation funders who will take encouragement from Justice Secretary, Alex Chalk, who confirmed the Government is planning to "legislate at the first opportunity" to reverse the "damaging effects" of a Supreme Court ruling last July that complicated rules concerning litigation funding agreements. 

    Employment 

    In an employment context, data protection issues in the past year continued to centre on data subject access requests and employee monitoring.  We noted that the ICO has now released finalised monitoring guidance which provides practical help for organisations. However, challenges remain particularly in connection with hybrid work arrangements where monitoring of personal devices may be undertaken.  

    Looking ahead to 2024, we discussed the data protection implications arising from the rapidly increasing use of AI in HR processes.  The ICO appears to have recognised this issue in its recently released draft guidance on recruitment and selection which covers a number of AI specific considerations. 

    Data Governance 

    Ashurst's Risk Advisory data governance team also shared their observations on data governance trends in 2023. They shared that:

    1. Gen AI raised question marks over the transparency and traceability of data - whether it was training data, input prompts or outputs

    2. Cyber continued to be a top priority for boards and C-suite and the threat of an attack brought with it a heightened focus on data retention

    3. Cloud migration and the trend of data centralisation continued, enabling many businesses to re-think they way they approach data governance

    In 2024, they predict:

    1. Gen AI will transition from experimentation to implementation as organisations start to customise Gen AI backed applications with proprietary data

    2. More and more organisations will start to develop standalone AI governance frameworks that need to closely interlink with existing data governance frameworks

    Authors: Rhiannon Webster, Partner; Alexander Duisberg, Partner; Andreas Mauroschat, Partner; Nicolas Quoy, Partner; Shehana Cameron-Perera, Senior Associate; Antoine Boullet, Senior Associate, Tom Brookes, Associate; David Plischka, Associate; Nilesh Ray, Junior Associate; Prithivi Venkatesh, Trainee Solicitor; Claude Fuhrer, Trainee Solicitor.

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.