Our 'In Case You Missed It' section of the Data, Privacy and Cyber Bulletin provides readers with a high-level digest of important regulatory and legal developments in the previous month.
Contents
Case Law Updates
German Federal Court of Justice issues judgment considering non-material damage
The German Federal Court of Justice has issued a decision holding that even the mere loss of control over personal data can constitute non-material damage within the meaning of Article 82(1) of the GDPR. Our team has written on this decision here.
Regulatory Developments
Data (Use and Access) Bill passes 2nd reading stage
Further to our article last month, the Data (Use and Access) Bill has passed 2nd reading in the House of Lords and progressed to the Committee stage on 3rd December. During the 2nd reading stage, clarification was sought by numerous members of the Lords as to the risk to EU adequacy decisions. Baroness Jones, representing the Government, expressly stated that the Government recognised the importance of retaining those adequacy decisions with the EU, and ministers are engaging with the European Commission on this issue.
Progression of the Bill can be tracked here, and we will continue to provide updates on the legislative process.
General-Purpose AI Code of Practice to be developed in EU
The European AI Office is facilitating the drawing up of the first General-Purpose AI Code of Practice, which will detail the rules set out in the EU AI Act for providers of general-purpose AI models, and general-purpose AI models with systemic risks.
By way of reminder, Article 3(63) of the AI Act defines a general-purpose AI model as “an AI model, including where such an AI model is trained with a large amount of data using self-supervision at scale, that displays significant generality and is capable of competently performing a wide range of distinct tasks regardless of the way the model is placed on the market and that can be integrated into a variety of downstream systems or applications”.
The press release accompanying the announcement can be found here.
EPDB adopts first report under the EU-US Data Privacy Framework
The European Data Protection Board (EDPB) has adopted a report on the first review of the EU-US Data Privacy Framework. The report welcomes the efforts of the US authorities and the European Commission in implementing the Data Privacy Framework (DPF), in particular the avenues of redress for EU citizens under the DPF Principles. As part of a number of clarifications sought, the EDPB encouraged the European Commission to assess and monitor US governmental acquisition of personal data by U.S. intelligence agencies from data brokers and other commercial entities that is not captured by existing executive orders.
The report can be found here. The EPDB recommends that the next review of DPF should take place within the next 3 years. The press release accompanying the report can be found here.
Cyber Resilience Act entered into Official Journal of the EU
The Cyber Resilience Act (CRA) has now entered into the Official Journal of the EU, and it will enter into force on 10 December 2024. The CRA introduces cybersecurity requirements for the for design, development, production of 'products with digital elements' which covers both hardware and software products, including software or hardware components placed on the market separately. This covers products such as smart or connected household devices. It will apply to manufacturers, distributors and importers of those products with digital elements placed in the EU, meaning that non-EU companies intend to sell their products in the EU, will need to ensure compliance.
The majority of the CRA's provisions will apply from 11 December 2027 affording impacted parties 36 months to comply with any new cybersecurity and reporting requirements. However certain elements will come into application before this, with Article 14 (manufacturers' reporting obligations) applying from 11 September 2026, providing only a 21 month period of compliance for manufacturers in respect of their reporting obligations as manufacturers and Chapter IV (notification of conformity assessment bodies) applying from 11 June 2026
The link to the Official Journal entry can be found here.
European Commission warns Member States on NIS2 transposition
The European Commission has opened infringement procedures against 23 Member States for failing to transpose the NIS2 Directive into national law by 17 October 2024 as required. A letter of formal notice invites a response from those countries within 2 months, and to complete the transposition and notify the Commission.
A failure to do so will invite the Commission to release a reasoned opinion. The Commission's press release confirming the enforcement steps can be found here.
ENISA seeks feedback on technical guidance for NIS2 Implementing Act
The European Union Agency for Cybersecurity (ENISA) has invited industry stakeholders to comment on complementary technical guidance developed following the recent adoption of the implementing rules under the NIS2 Directive by the European Commission.
The draft of the technical guidance aimed at supporting those entities in scope of NIS2 can be found here. The press release issued by ENISA commencing the consultation can be found here.
Data & Privacy Developments
Information Commissioner seeking permission to appeal DSG Retail Limited ruling
The ICO confirmed that it will be appealing the decision of the Upper Tribunal in relation to the right of for the ICO to impose a monetary penalty notice (MPN) under the DPA 1998. The Upper Tribunal, in response to an appeal by DSG Retail in relation to a First-Tier Tribunal, provided guidance helpful to the ICO. The ICO welcomed the "Tribunal’s clarity that organisations have an anticipatory duty to put in place measures to keep people’s information safe."
However, the ICO is of the view that "the Tribunal interpreted the law incorrectly in then finding that an organisation is not required to take appropriate measures against unauthorised or unlawful processing of data by a third party, where the data is personal data in the hands of the controller but not in the hands of the third party." The press release confirming the ICO is seeking permission to appeal can be found here, and the Tribunal's decision is awaited.
ICO issues report on genomics
The ICO has issued a report on genomics, which can be found here. The report highlights the need for a privacy-by-design approach while emphasising some of the possible benefits of processing such data, such as healthcare providers using DNA to predict and prevent diseases.
The report considers:
- understanding when genomic data may be personal data;
- the complexities of using and sharing third party genomic information and inferences derived from it;
- the associated risks and challenges of anonymising and pseudonymising genomic information to ensure privacy by design without compromising innovation; and
- the significant risks of bias and discrimination from the processing of genomic information.
The ICO notes that "organisations and researchers desire greater clarity in understanding when genomic information may be personal information," particularly as some genomic information may not relate to an identifiable person, and thus fall within the definition of personal data. The ICO will continue to work with stakeholders to provide further clarity in this area, and also provide a better understanding of what exactly health information is under the UK GDPR.
Genomics was one of the issues discussed in the ICO's second Tech Horizons Report issued earlier this year (our article on the same can be found here). Coinciding with the issue of the report, the ICO issued a call for collaboration with developers with the Regulatory Sandbox, which allows developers to gain expert guidance on privacy-compliant innovations in genomics.
Joint statement from the FCA, ICO and TPR for retail investment firms and pension providers
The Financial Conduct Authority, Information Commissioner's Office and the Pension Regulator (TPR) has issued a statement providing greater clarity for firms and pension scheme trustees or managers to support their customers' decision-making through their communications, in line with the FCA Consumer Duty and TPR’s Code of Practice and Guidance. The statement offers guidance for firms to ensure that they comply with data protection requirements and direct marketing rules when sending regulatory communication messages, in particular noting that these requirements do not prevent them from those neutral, factual messages.
The statement can be found here.
Data protection code of conduct launched for UK private investigators
The ICO has approved the first sector-owned code of conduct for UK private investigators. The Association of British Investigators Limited (ABI) UK GDPR Code of Conduct for Investigative and Litigation Support Services (the Code of Conduct) has been created in line with Article 40 of UK GDPR. Article 40 allows organisations to create codes of conduct that identify and address data protection issues important to their sector. The Code of Conduct can be found here.
In this instance, the key data protection issues facing the private investigation sector are addressed within the Code of Conduct. These issues include the role and responsibilities of members when acting as data controllers, joint controllers or processors, and when to complete a Data Protection Impact Assessment.
ICO publishes key questions for organisations procuring AI tools with their employee recruitment
The ICO has published key questions that organisations should ask when procuring AI tools to assist with the recruitment of employees. The key questions resulted from consensual audit engagements with developers and providers of AI tools used in recruitment. The outcomes report from those engagements can be found here.
The key questions proposed by the ICO are:
1) Have you completed a DPIA?
2) What is your lawful basis for processing personal information?
3) Have you documented responsibilities and set clear processing instructions?
4) Have you checked the provider has mitigated bias?
5) Is the AI tool being used transparently?
6) How will you limit unnecessary processing?
Government publishes statement of strategic priorities for Ofcom in relation to Online Safety Act
The Government has published a statement of strategic priorities setting out its aims for online safety which Ofcom has to have regard for when exercising regulatory functions in relation to the Online Safety Act.
The strategic priorities are as follows: Safety by design, transparency and accountability, agile regulation, inclusivity and resilience, technology, and innovation. Ofcom will be required to consider each of those strategic priorities when enforcing the Online Safety Act from next year. Ofcom will be required to report back to the Secretary of State on action it has taken against the priorities to ensure safer spaces online are being delivered.
The press release accompanying this announcement can be found here.
Cyber Developments
ABI and Lloyd's issue paper outlining key reinsurance components for defining major cyber events
The ABI and Lloyd's have issued a report outlining the factors that (re)insurers should consider when defining what constitutes a major cyber event and provides a framework for readers to follow. The paper is intended to enhance awareness, education, and the development of risk appetite and (re)insurance solutions in managing cyber risk.
The paper can be found here.
NCSC issues warning regarding cyber attackers exploiting zero-day vulnerabilities
The UK National Cyber Security Centre, and agencies from the United States, Canada, Australia and New Zealand have issued a warning on increases in cyber attackers using previously unknown vulnerabilities to compromise enterprise networks. The advisory states that 'zero-day' vulnerabilities - weaknesses that were recently discovered and where a fix or patch was not immediately available from the vendor – are allowing attackers to target higher-priority targets.
The warning issued by the NCSC and other agencies can be found here.
