Our 'In Case You Missed It' section of the Data, Privacy and Cyber Bulletin provides readers with a high-level digest of important regulatory and legal developments in the previous month.
Contents
- King's Speech
- Case Law Updates
- Regulatory Developments
- Data & Privacy Developments
- Cyber Developments
King's Speech
The King's Speech sets out the legislative agenda of the new Government, indicating its priorities but remaining silent on the specific timing of the Bills mentioned. From a data, privacy and cyber perspective, there were significant developments, with specific legislation announced in the form of the Digital Information and Smart Data Bill, and the Cyber Security and Resilience Bill.
In addition, it was confirmed that 'appropriate legislation' placing requirements on those developing AI models will be brought forward. There was surprise at the lack of clarity, intention and detail, although other details have filtered through via discussions in the House of Lords, which confirmed that the future AI bill will be "highly targeted legislation that focuses on the safety risks posed by the most powerful models." In addition, the legislation will also place the AI Safety Institute on a statutory footing, providing it with a permanent remit to enhance the safety of AI, and the Government will consult publicly on the details of the proposals before bringing forward legislation.
Our initial review following the announcements can be found here, and the Government's background briefing notes can be found here.
Case law updates
Meta Platforms Ireland Limited v Bundesverband der Verbraucherzentralen und Verbraucherverbände - Verbraucherzentrale Bundesverband e.V, Case C-757/22
The European Court of Justice has ruled that representative organisations are entitled bring privacy claims for individuals, but the organisation "must assert that it considers the rights of a data subject provided for in [the GDPR] have been infringed ‘as a result of the processing’."
A referral was made from a German Court asking the ECJ to consider a representative action alleging Meta did not get valid consent because their software informed users that by using an app, they were agreeing to let Meta collect and publish certain personal data. The ECJ was asked to consider whether a consumer protection association can bring an action on behalf of data subjects "as a result of the processing" of data.
The Court of Justice confirmed that such an action is allowed, noting that GDPR requires data controllers to inform subjects of the purposes for the collection of personal data and the grounds for processing "in a concise, transparent, intelligible and easily accessible form [and] in clear and plain language." In this instance, a breach of that data subject right triggers the ability of the representative organisation to bring a case against Meta.
The judgment can be found here.
Regulatory Developments
UK, US and EU competition regulators issue joint AI statement
The competition authorities of the UK (Competitors and Markets Authority), USA (Department of Justice and Federal Trade Commission), and EU (the European Commission) issued a joint statement on competition of generative AI foundation models and AI products.
The authorities will work together to provide effective competition for consumers; emerging AI business models pose a risk to competition through the possibility of entrenched market power, reflecting financial arrangements and investment between key parties. In addition, the authorities are mindful of other risks associated within the development of algorithms in AI models and also business use of customer data to train their models. It is emphasised that in order to protect competition in the AI ecosystem, the common principles of fair dealing, interoperability and choice will be key.
The joint statement can be found here.
ICO reprimands Electoral Commission after attack on servers
The ICO issued a reprimand to the Electoral Commission for having inadequate security measures to protect personal information following the compromise of servers in August 2021. The hackers were able to exploit software vulnerabilities and access the personal information of approximately 40 million people. Access to this information continued for over a year until the first hack. The Electoral Commission had failed to remedy the software vulnerabilities, despite security patches being made available in April and May 2021. The organisation also had inadequate password policies in place at the time of the attack.
The ICO confirmed that the Electoral Commission had taken a number of remedial steps including modernising infrastructure, introducing password policies and multi-factor authentication for all users. The full text of the reprimand can be found here.
European Commission coordinates action against Meta on 'pay or consent' models
As we have highlighted in previous months, Meta's 'pay or consent' advertising models have come under significant regulatory scrutiny this year, with the European Data Protection Board issuing an opinion suggesting the model is unlikely to be lawful. The European Commission also issued a preliminary opinion finding that the 'consent or pay' model was not compliant with Meta's obligations under the Digital Markets Act. That investigation is ongoing.
In the meantime, the Commission has coordinated action with the Consumer Protection Cooperation (CPC) Network to issue a letter to Meta raising specific concerns about Meta's practices under EU consumer law. This action is distinct from those other ongoing investigations in respect of Meta's 'pay or consent' model. The CPC authorities have identified several practices undertaken by Meta which could be considered unfair and contrary to the Unfair Commercial Practices Directive and Unfair Contract Terms Directive. It is alleged that Meta are misleading and confusing users via the use of imprecise terms and language and pressuring users to accept the new business model. Meta has until 1 September 2024 to respond to the concerns raised, with enforcement measures possible.
The press release from the Commission can be found here.
European Commission publishes draft NIS 2 implementing regulations
In anticipation of the 18 October 2024 deadline for Member States to apply measures to comply with the NIS 2 Directive, the European Commission released draft regulations setting out the technological and methodological requirements. This includes specifying those incidents significant enough to trigger the Directive's 72 hour reporting obligations.
The draft regulations can be accessed via this link here, and the feedback period closed on 25 July 2024.
Data & Privacy Developments
European Commission issues second review of GDPR
The European Commission has issued its second report on the application of the GDPR in accordance with Article 97, which requires the Commission to examine issue such as the international transfer of data to third countries and cooperation mechanisms between national data protection authorities.
The report also provides a general assessment of the application of the GDPR, and proposed actions to ensure the continued effective application of GDPR. The Commission has identified several areas for focus including robust enforcement of the GDPR, ensuring proactive support from data protection authorities for stakeholders, effective cooperation between regulators and advancing the Commission's international strategy on data protection. Proposed measures to assist are set out, and they will be supported and monitored by the Commission in anticipation of the next report required in 2028.
Access to the report can be accessed via this link.
First periodic review of the EU-US Data Privacy Framework completed
A year has passed since the EU-US Data Privacy Framework went into effect, and a first periodic review of the framework has been completed by representatives from the United States and European Union. The review covered all elements of the framework and allowed the representatives to discuss relevant legal developments in the areas of privacy and government access to data.
The press release from the US Department of Commerce can be found here.
Google steps back from plans to remove third party cookies in Chrome
On 22 July, Google announced that it would be concluding longstanding efforts to remove third-party cookie tracking technology from the Chrome web browser. Google has announced that "Instead of deprecating third-party cookies, we would introduce a new experience in Chrome that lets people make an informed choice that applies across their web browsing, and they’d be able to adjust that choice at any time."
The Deputy Commissioner of the ICO issued a statement following the announcement, expressing disappointment at the proposed changes, noting that in the view of the ICO, "blocking third party cookies would be a positive step for consumers."
Open Rights Group challenges Meta plan to utilise user data for AI training
As noted in our article this month on AI and privacy, the Open Rights Group has submitted a formal complaint to the ICO regarding Meta's plans to utilise user data to 'develop and improve AI'. The complaint, made on behalf of five ORG employees who are users of Meta platforms, calls for the ICO to issue an "imminent and legally binding decision under Article 58(2) UK GDPR to prevent the processing of the complainants… without consent." More widely, the complaint requests that the ICO prohibits the use of personal data for undefined AI technology in the absence of an opt-in consent form from the complainants.
ICO publishes Annual Report
The Information Commissioner's Office has published its annual report covering 1 April 2023 through to 31 March 2024. The report emphasises that the development of new and complex technologies prompted a division of ICO resources to continue 'empowering through information', but also engaging in technological horizon scanning which includes providing support and resource to those working with emerging tech.
The report can be found here, also detailing how the ICO has met its four core objectives over the past year.
ICO encourages people to read to privacy notices
The ICO has published guidance urging people to check how applications will use their personal data after signing up. The ICO has published a series of short videos in support, and encouraged users to ask the following questions when signing up:
- Is the privacy notice clearly written and easy to understand?
- Will they delete your data when you don’t want to use the app anymore?
- What measures do they have in place to prevent hackers from accessing your personal information?
- Who are they sharing your information with?
- Are you happy with where your personal information could end up?
Cyber Developments
Crowdstrike outage
On 19 July, a significant IT outage affected global computer systems following the release of a CrowdStrike security update. The outage affected a large number of diverse organisations from airlines to financial institutions, who suffered widespread interruption with their activities and incurred financial losses. As a result of the incident, claims for business interruption have already been commenced under cyber insurance policies, and more may follow.
The National Cyber Security Centre also reported that opportunistic malicious actors generated an increase in phishing attacks following the outage. The NCSC directed organisations to review its guidance on phishing mitigations and directed those affected to refer to the relevant vendor guidance and take necessary action.
NCSC issues warnings on state-sponsored cyber attackers
The NCSC issued two warnings in July warning of risks emerging from state-sponsored attackers including North Korea.
In association with international partners, the NCSC highlighted an evolution in techniques being used by state-sponsored actors, who are exploiting vulnerable small-office and home-office devices which often do not have the latest software or security updates. Critical infrastructure organisations also received a specific warning relating to a military and nuclear espionage campaign by North Korean attackers. Primarily targeting defence, aerospace, nuclear and engineering entities, and organisations in the medical and energy sectors, a cyber threat group has been compromising sensitive and technical data around the world. The NCSC note can be found here, and the FBI advisory co-sealed by the NCSC and other partners.