10 min read

Data, Privacy and Cyber Bulletin: January 2024

Read more

By Hans Allnutt, Patrick Hill and Jade Kowalski

|

Published 07 February 2024

Overview

The latest edition of our Data, Privacy and Cyber Bulletin is very much data-led with discussions of developments in the European Union across a number of issues, ongoing consultations from the Information Commissioner's Office and the impact of the Retained EU Law (Revocation and Reform) Act on data protection law.

As we move deeper into 2024, our data, cyber and privacy experts have contributed to DAC Beachcroft's Insurance Predictions for the coming year. From data ethics to connected products legislation, we offer our international experts’ predictions on the opportunities and challenges that the data, privacy and cyber market may face. Whatever your area of interest, click here to delve into our predictions for 2024.

On January 1st 2024, the Retained EU Law (Revocation and Reform) Act 2023 came into effect, abolishing the supremacy of EU law and making changes to the interpretation and effect of EU case law in the UK. Our team considers how this legislation will affect data protection law in the UK.

The ICO features heavily this month following the launch of a new consultation series on the application of data protection law to the development and use of generative AI models, and a further consultation on draft guidance relating to employment practices and data protection.

We also consider guidance from the Courts and Tribunal Judiciary on the use of artificial intelligence by judicial office holders.

Looking to Europe, the passage into law of the European Data Act will establish harmonised rules on the fair access of data and user rights. Although not as far-reaching as the GDPR, the Data Act will have a considerable impact when applicable from September 2025. Reflecting this development, and the fast pace of developments in the digital legislation landscape in the EU, the publication of a European Data Protection Board report on the role of Data Protection Officers was timely. We review the key points raised by the report.

The European Commission re-affirmed adequacy decisions for 11 countries and territories, meaning that data transfers from the EU to those locations can continue without additional requirements.

As 'Pay or ok' consent mechanisms are introduced into the European Union, national data protection authorities are seeking guidance from the European Data Protection Board on their validity. Pressure also continues to be applied by national data protection authorities on the issue of cookies, with the French data protection agency, CNIL, imposing a €10 million fine on Yahoo! for failings they uncovered.

Finally, we note the letter provided to insurers by the Prudential Regulation Authority which singles out cyber insurance as a key priority for the coming year.

 

Retained EU Law Act and the impact on data protection case law

Taking effect from January 1st 2024, the Retained EU Law (Revocation and Reform) Act 2023 abolished the the supremacy of EU law. We consider whether this legislation will create divergence between the EU and UK on data protection case law.

Click here to read more 

 

ICO Launches Consultation Series on Generative AI and Data Protection

The launch of a new consultation series by the Information Commissioner's Office will seek to clarify issues and questions raised in respect of the application of data protection law to generative AI models. We consider the first chapter of the consultation series, covering the lawful basis for training generative AI models on web-scraped data.

Click here to read more 

 

Data Protection: More ICO draft guidance out for consultation

The Information Commissioner’s Office recently announced an online resource relating to employment practices and data protection. As part of this it provided draft guidance for consultation on keeping employment records and for recruitment and selection. The drafts also contain practical tools, such as checklists, to assist employers.

Click here to read more

 

Courts and Tribunal Judiciary sets out AI Guidance for Judicial Office Holders

Guidance has been provided to judicial officer holders to ensure that any use of AI by or on behalf of the judiciary complies with their overarching obligation to protect the administration of justice. We analyse the content of the document.

Click here to read more

 

Data Act: European Union harmonises rules on fair access and user rights

Applying from September 2025, the Data Act is a key pillar of the European Union's data strategy. As the value and volume of data increases, the legislation will enable fair distribution of data by establishing clear and fair rules for accessing and using data within the European data economy,

Click here to read more

 

EDPB Coordinated Enforcement Action: Designation and Position of Data Protection Officers

The European Data Protection Board recently adopted its report on the designation and position of Data Protection Officers following a year of investigations by 25 supervisory authorities. We analyse the report, the conclusions and key takeaways for organisations in the UK.

Click here to read more

 

EU agreement on pre-GDPR adequacy agreements

We review the decision of the European Commission to re-affirm adequacy decisions for countries such as New Zealand, Switzerland and Israel. The assessment reviewed a number of beneficial developments in privacy legislation within the 11 countries and territories in question.

Click here to read more

 

'Pay or ok' challenged as ad-free subscription models under scrutiny

'Pay or okay' consent mechanisms in the European Union, such as those introduced recently by Meta, are under scrutiny from data protection authorities and consumer activists. In the absence of a unified approach, the European Data Protection Board has been asked for an opinion by the Norwegian, Dutch and Hamburg state data protection authorities.

Click here to read more

 

French data agency fines Yahoo! €10 million over cookies policy

The imposition of a €10 million fine on Yahoo! by the French data protection authority, CNIL, is the latest signal of the hard line being taken by regulators in respect of cookie compliance. Against this backdrop, we also consider the progression of the European Commission's Cookie Pledge initiative, aiming to encourage businesses to simplify the choices faced by consumers.

Click here to read more

 

The PRA identifies cyber insurance as a priority for 2024

A letter to insurers from the Prudential Regulatory Authority has identified cyber insurance as a specific priority for the coming year. The PRA notes that cyber insurance has continued to grow against the backdrop of evolving cyber related threats and geopolitical uncertainty.

Click here to read more

Authors