The new 'In Case You Missed It' section of the Data, Privacy and Cyber Bulletin provides readers with a high-level digest of important regulatory and legal developments in the previous month.
Contents
Case law updates
CJEU issues further judgments on compensation claims under Article 82, GDPR
The CJEU has handed down judgments in the following cases: (a) JU and SO v Scalable Capital GmbH (Joined Cases C-182/22 and C-189/22); and (b) AT and BT v PS GbR, VG, MB, DH, WB and GS (Case C-590/22).
Points to note from the judgments (which in part reiterate previous CJEU decisions) include: (1) the right to compensation under Article 82 is compensatory, not punitive in nature; (2) there is no de minimis level of harm necessary for the right to compensation to be engaged (although where harm is minor, national courts may award minimal compensation); but (3) a breach of the GDPR alone does not confer a right to compensation (i.e., there must be a causal link between the breach and the harm suffered).
In the JU and SO cases, the CJEU provided some guidance on the meaning of identity theft (as that term is used in the GDPR). In particular: identity 'theft' and 'fraud' are interchangeable and not distinct; the theft of personal data does not, in of itself, constitute identify theft; and identity theft implies that the data subject's identity must be misused by a third party.
In the AT and BT case, the CJEU held that a person’s fear that his or her personal data have been disclosed to third parties is sufficient to give rise to a right to compensation, provided that the fear, and its negative consequences, is proven.
The decisions can be found here: Joined Cases C-182/22 and C-189/22 and Case C-590/22
English High Court rules on data subject access requests
The case (Harrison v Cameron and ACL [2024] EWHC 1377 (KB)) concerned a subject access request for certain telephone recordings of the claimant. Among other things, the Court had to consider whether, pursuant to Article 15(1)(c) of the UK GDPR the requestor was entitled to be informed of the categories of recipient of his personal data or the specific recipients.
The Court referred to the CJEU decision in the 'Austrian Post' case (C-154/21) (which is not binding in the UK following the UK's departure from the EU) and held that the data subject is entitled to request and receive the specific identities of the recipients (i.e., the choice rests with the data subject) and the controller must comply with such a request unless it is impossible to identify the recipients or the request is manifestly unfounded or excessive.
In the judgment, the Court also considered issues of controllership, the scope of the 'purely personal/household activity' exemption and the requestor's motive in construing the 'rights of others' exemption (which the Court appeared to accept). This case is also discussed in our detailed piece on DSARs this month.
The full judgment can be found here and the Austrian Post case is accessible here.
Regulatory Developments
ICO confirms review into public sector approach
In June 2022, the ICO revised its approach for working with public sector organisations, commencing a two-year initiative to raise standards, partly by ensuring that fines do not unnecessarily impact on the provision of public services and budgets. The ICO has confirmed this approach is now under review with a decision expected this autumn. The current approach will continue in the meantime. The statement on this review can be found here.
ICO consultation series on generative AI and data protection closes
The ICO consultation series on the application of data protection law to the development of generative AI has now concluded with the deadline for the fourth and final call for evidence passed. Details of the ICO's consultation series can be accessed here.
We have written on each of these consultations, with links set out below:
- Chapter one: The lawful basis for web scraping to train generative AI models
- Chapter two: Purpose limitation in the generative AI lifecycle
- Chapter three: Accuracy of training data and model outputs
- Chapter four: Engineering individual rights into generative AI models
ICO releases full decision in relation to the “My AI” feature on Snapchat
The ICO has published its full decision following its preliminary findings on Snap Inc. and Snap Group Limited's compliance with Articles 35 and 36 of the UK GDPR in relation to the launch of the My AI feature on the Snapchat platform.
In summary, the ICO has concluded that Snap's revised DPIA (the fifth iteration) meets the requirements of Article 35 and there are no grounds to issue an enforcement notice.
The decision sets out the reasons why the ICO has found that Snap has now carried out a DPIA which complies with the requirements of the UK GDPR, and this will be of wider relevance to organisations wanting to understand the ICO's views and approach on DPIAs. The full decision can be found here, as well as our initial views following the first release confirming the outcome.
European Data Protection Supervisor publishes first orientations for EU Institutions using generative AI
The European Data Protection Supervisor (EDPS) has published guidance providing practical advice to EU institutions and agencies on the processing of personal data in their use of generative AI. This guidance has been issued in the EDPS' role as a data protection supervision authority and not its role as AI supervisory authority under the EU AI Act. The orientations provide overviews of the circumstances in which EUIs can use generative AI, consideration of personal data processing issues such as data minimisation, data accuracy, automated decisions, and various other issues of relevance. The guidance can be found here.
EDPS publishes dispatch on Neurodata
Earlier this year, we commented on the ICO Tech Horizons report which identified neurotechnologies as one of the priority technologies of interest to the UK data protection regulator.
The EDPS has now published a TechDispatch on the issue of neurodata. The dispatch provides summaries of basic definitions and concepts covering this growing area, particularly in light of research initiatives around the world which demonstrate increased interest in the area of neurotechnology. The review highlights use cases for neurodata and the data protection challenges in processing this data. The TechDispatch is available here.
European Commission rebukes Meta over 'pay or consent' model
Meta's decision to offer a 'pay or consent' advertising model has received much attention. We have issued a number of articles on this matter, including an article on the eagerly awaited European Data Protection Board opinion. This opinion concluded that "in most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users only with a binary choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee.".
In parallel, the European Commission commenced proceedings to establish whether the 'consent or pay' model complied with Meta's obligations under the EU Digital Markets Act. The Commission has now issued its preliminary opinion confirming that the advertising model is not compliant with the DMA as it does not meet the requirements set out under Article 5(2), for the following reasons:
- It does not allow users to opt for a service that uses less of their personal data but is otherwise equivalent to the “personalised ads” based service.
- It does not allow users to exercise their right to freely consent to the combination of their personal data.
Having provided Meta with the opinion, Meta now has the opportunity to examine the documents used by the Commission and reply in writing to the preliminary findings. The investigation is expected to be concluded by the end of March 2025. The European Commission's press release on this decision can be found here.
Data & Privacy Developments
Meta receives pushback to AI user data training proposals
Meta has confirmed that it that it will delay processing EU/EEA user data to train its large language AI models following complaints by various European data protection regulators. The delay follows a request by the Irish Data Protection Commission, as Meta's lead regulator in Europe.
The Irish DPC welcomed the decision. The DPC, in co-operation with its fellow EU data protection authorities, will continue to engage with Meta on this issue.
The Brazilian data protection authority, ANPD, has also issued a preventative order requiring Meta to suspend the use of personal data published on its platforms for AI systems training purposes. A daily fine of R$50,000 will apply for non-compliance. A copy of the Order (in Portuguese) can be found here.
noyb files complaints against Microsoft with the Austrian data protection authority
The use of digital and online learning facilities has grown considerably in the wake of the COVID-19 pandemic. The European privacy rights group, noyb, alleges that the growth of this area has resulted in anti-competitive domination with implications for data protection rights.
noyb has filed complaints with the Austrian data protection authority alleging that Microsoft, via use of the Microsoft 365 Education package, has created a system resulting in the denial of "even the most basic GDPR rights to data subjects". Microsoft has stated that, as software provider, it is a processor and that responsibility lies with local authorities responsible for schools. noyb states that this has resulted in a system where the "supposed "processor" (here: Microsoft) does not respond to the exercise of rights under the GDPR, while the supposed "controller" (here: the school) is unable to comply with such requests".
The complainants ask the Austrian data protection authority to investigate and analyse the data processing by Microsoft 365, and then impose a fine. English translations of the complaints, can be found here: First complaint and second complaint.
Cyber Developments
Synnovis ransomware attack
On 3 June, Synnovis, an organisation providing services to the NHS, services users and clinical users was subject to a ransomware attack by the Russian hacking group, Qilin. It is believed that records covering over 300m patient interactions were affected by the attack, which also resulted in a number of planned operations and treatments being cancelled.
Synnovis has dedicated a section of its website to the ransomware attack, with links to NHS England and other appropriate websites for those affected. Both the National Cyber Security Centre and the ICO have confirmed that their respective enquiries into the breach are ongoing.
Investigation into 23andMe data breach
The ICO and the Canadian data protection authority (Office of the Privacy Commissioner of Canada) have launched a joint investigation into the data breach at the direct-to-consumer genetic testing company, 23andMe. The investigation will examine the scope of data exposed in the breach and the risk to those affected, and the safeguarding and notification processes in place at 23andMe at the time of the breach. The ICO press release on the investigation can be found here.