Our 'In Case You Missed It' section of the Data, Privacy and Cyber Bulletin provides readers with a high-level digest of important regulatory and legal developments in the previous month.
Contents
Case Law Updates
Schrems v Meta (Case C‑446/21)
The Court of Justice of the European Union ("CJEU") issued a judgment involving Mr Maximilian Schrems against Meta Platforms Ireland Ltd (Meta) regarding the processing of sensitive data under the GDPR this month. Our article on 'European authorities continue to scrutinise companies' lawful bases' analyses this decision and the implications.
Koninklijke Nederlandse Lawn Tennisbond v Autoriteit Persoonsgegevens (Case C-621/22)
The CJEU on 4 October 2024 handed down its judgment clarifying the scope of "legitimate interests" under the Article 6(1)(f) of the GDPR. The focus of the dispute and subsequent ruling was whether a "legitimate interest" could be interpreted to encompass purely commercial interests when processing personal data in certain circumstances. Our article on 'European authorities continue to scrutinise companies' lawful bases' considers this decision and the outcomes.
Regulatory Developments
Data (Use and Access) Bill published
The Data (Use and Access) Bill was published in the House of Lords on 23 October 2024. The 2nd reading of the Bill will take place on 19 November 2024. Our detailed analysis of the proposed amendments that the Bill will make to the data protection framework in the United Kingdom can be found here.
Progression of the Bill can be tracked here, and we will provide updates on the legislative process. The ICO has also published a response to the draft Bill.
Cyber Security and Resilience Bill to be introduced into Parliament in 2025
As part of the King's Speech, the Government announced that a Cyber Security and Resilience Bill will be introduced, addressing issues such as the UK's cyber defence and the safeguarding of critical infrastructure and essential services. A collection of materials published by the Department of Science, Innovation and Security confirms that the legislation will be introduced into Parliament in 2025.
Irish Data Protection Commission fines LinkedIn Ireland €310 million
On 24 October 2024, the DPC announced its final decision following its inquiry into LinkedIn Ireland Unlimited Company concerning the processing of personal data. Our article on 'European authorities continue to scrutinise companies' lawful bases' addresses this news.
European Data Protection Board on draft regulation laying down additional procedural rules for the enforcement of GDPR
Adopted on 7 October 2024, the EDPB have published its Statement 4/2024 on the recent legislative developments on the Draft Regulation laying down additional procedural rules for the enforcement of the GDPR.
The EDPB expressed concerns as to the exclusion of the possibility for concerned supervisory authorities to raise relevant and reasoned objections to a sui generis draft decisions issued in respect of amicable settlements and urges the co-legislators to remove this restriction. The EDPB proposes that a legal basis and coordinated procedure is needed for amicable settlements and suggested that consensus is reached on the summary of key issues.
Read more here.
NIS2 Directive now in force
On 17 October 2024, the European Commission (EC) published the NIS2 Directive Implementing Regulation C (2024) (Implementation Regulation). Member States had until 17 October 2024 to implement the NIS2 Directive. Thereafter, from 18 October 2024 the initial NIS Directive will be repealed.
The NIS2 Directive lays down the technical and the methodological requirements of cybersecurity risk management measures for critical entities and networks. We previous published an article addressing the NIS2 Directive's implementation and what this meant for businesses.
Read more about the Implementation Regulation here.
European Commission concludes that X should not be designated as a core platform service under the Digital Markets Act
On 16 October 2024, the EC published its decision concluding that X (formerly Twitter), the online social networking platform, does not qualify as a gatekeeper as its investigation revealed that X is not an important gateway for business users to reach end users.
The EC's decision comes after they initiated an in-depth market investigation on 13 May 2024 following notification by X of its status of potential gatekeeper. X submitted rebuttal arguments explaining why its online social networking service should not, in its view, qualify as an important gateway between businesses and consumers, even if X is deemed to meet the quantitative thresholds set out in the DMA.
The EC have advised that its full decision will be published in due course. However, the EC has stipulated that they will continue to monitor the developments on the market with respect to this service, should any substantial changes arise.
Read more here.
Cyber Resilience Act adopted by the EU
On 10 October 2024, the Council of the European Union adopted the EU's Cyber Resilience Act (CRA) which will remove substantial gaps in EU legislation which did not provide mandatory cybersecurity requirements for 'products with digital elements'. The next stage for the CRA will to be published in the EU's Official Journal and thereafter the CRA will enter into force 20 days.
We have previously commented on this piece of legislation and the UK Product Security and Telecommunications Infrastructure Act 2022 earlier this year as part of considerations concerning silent cyber.
The CRA will introduce cybersecurity requirements for the design, development, and production of these products applying to manufacturers, distributors and importers. Impacted parties will be afforded 36 months to comply with any new cybersecurity and reporting requirements. Equally, there will be a limited 21 month period of compliance for manufacturers in respect of their reporting obligations as manufacturers. The impact of the CRA is that for companies based in the EU and/or UK, the rules and requirements can apply to manufacturers, importers and resellers of regulated hardware and software.
European Data Protection Board updated guidelines on ePrivacy Directive
On 16 October 2024, the European Data Protection Board (EDPB) published new guidelines on the ePrivacy Directive (Guidelines 2/2023 on Technical Scope of Art. 5(3) of ePrivacy Directive).
The new guidelines expand upon the Opinion 9/2014 of the Article 29 Working Party on the application of ePrivacy Directive to device fingerprinting and seek clarify the understanding of the technical operations covered by Article 5(3). Specifically, the guidance seeks to address the applicability of Article(3) regarding new and emerging tracking technologies, and includes input from organisations, businesses and DPOs following public consultation.
The guidance includes a non-exhaustive list of applicable cases regarding common techniques, chiefly:
- URL and pixel tracking
- Local processing
- Tracking based on IP only
- Intermittent and mediated Internet of Things (IoT) reporting
- Unique Identifier
Read more here.
European Data Protection Board adopts opinion on certain obligations following from the reliance on processor(s) and sub-processor(s)
The EDPB adopted its Opinion 22/2024 on certain obligations following from the reliance on processor(s) and sub-processor(s) on 7 October 2024 (Opinion). The adoption from the EDPB follows on from a request from the Danish Data Protection Authority under Article 64(2) of the GDPR.
The EDPB concluded that in its opinion, controllers of personal data should have the information on the identity of all processors and sub-processors accessible and readily available. The EDPB defines "identify" as meaning the name, address, contact person (name, position, contact details) of the processor and the description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised). Equally, processors should proactively provide to the controller all of the identity information and should keep these details updated.
Adding to the above, the EDPB has went as far to stipulate that "with respect to the choice of processors, controllers should be in a position that allows them to effectively determine the purposes and means of the processing as per Article 4.7 GDPR. In that regard, determining the recipients (including processors) is considered an “essential means” of the processing, on which the controller decide". However, the ultimate decision on whether to engage a specific sub-(sub-)processor and the pertaining responsibility, including with respect to verifying the sufficiency of the guarantees provided by the (sub-)processor, remains with the controller.
Read more here.
Data & Privacy Developments
ICO contributes to follow-up joint statement on data scraping
Last year, the ICO contributed to a joint statement on data scraping with a number of other global data protection authorities. That statement set out the key privacy issues associated with data scraping, and proposed steps for business to protect against, monitor and respond to data scraping activities on their platforms. An updated joint statement has now been issued setting out further expectations for organisations including:
- Compliance with privacy and data protection laws when using personal information, including from their own platforms, to develop artificial intelligence (AI) large language models;
- Deployment of a combination of safeguarding measures and regularly review and update them to reflect advances in scraping techniques and technologies; and
- Ensuring that permissible data scraping for commercial or socially beneficial purposes is done lawfully and in accordance with strict contractual terms.
The joint statement can be found here.
ICO issues fines to organisations for marketing and spam campaigns
The ICO has published details of regulatory action taking in respect of marketing and spam campaigns. Firstly, two companies were fined for making unlawful marketing calls to individuals registered with the Telephone Preference Service. One organisation was fined £80,000 for making 42,688 unsolicited calls, and a second business fined £40,000 for 5,361 calls.
Two other businesses were fined a total of £150,000 for sending over 7.5 million spam text messages to people. The businesses had purchased personal information from third-party suppliers that did not obtain valid consent.
Cyber Developments
NCSC issues of gap between cyber threats and defence capabilities
The newly appointed head of the National Cyber Security Centre, Dr Richard Horne, issued a warning calling for greater global resilience in the face of complex and aggressive online security threats. The speech highlighted the rapid expansion of cyber capabilities, which had been previously confined to nation-states and well-resourced actors, has significantly broadened the threat landscape. The NCSC has responded to 50% more nationally significant incidents in 2024 compared to 2023, as well as a threefold increase in severe incidents.
The NCSC press release can be found here.