We are delighted to welcome you to the June 2023 edition of our Data, Privacy & Cyber Bulletin. Our recently expanded monthly newsletter features thought leadership and practical guidance from our market leading Data, Privacy & Cyber team. This month’s edition takes in a wide variety of data protection issues, firstly considering the recent interest in ChatGPT by European data protection authorities responding to concerns around the usage of data by the AI platform.
The ICO has recently issued new guidance for employers on data subject access requests; we address the key points to note, and steps that employers may wish to take in response.
We analyse whether the viability of data privacy representative actions has been dealt a further setback following the decision of the High Court inPrismall v Google and DeepMind.
We also update readers on the recent announcement of a UK-US 'data bridge' extension to the proposed EU-US Data Privacy Framework, and updated guidelines from the European Data Protection Board on the calculation of administrative fines under the GDPR. We also review the efforts of the Court of Justice of the European Union to bring clarity to the question of an individual's entitlement to compensation for non-material damage under the GDPR in the Austrian Post decision.
We have guest input from Demarest in Brazil commenting on claims for breaches involving sensitive personal data under the Brazilian General Data Protection Law.
Finally, the new UK Fraud Strategy proposes extending the ban on cold calling to all financial products. We identify the potential consequences for financial services providers, including how the use of telephone marketing to develop new business might be affected.
ChatGPT: European regulators take chatbots to task
We look at how ChatGPT is attracting the interest of data protection regulators across Europe. ChatGPT has been the focus of a number of questions and investigations, likely to be a precursor to further steps to regulate the area of generative AI.
DSARs: What the updated ICO guidance means for employers
We review the updated guidance issued by the ICO on data subject access requests, addressing how it provides helpful examples on issues which arise in the employment context, going further than the existing guidance.
End of the road for data privacy representative actions? Prismall v Google and DeepMind
We analyse the impact of the recent decision in Prismall v Google and DeepMind on the viability of representative actions for data privacy claims, following the previous Supreme Court decision of Lloyd v Google.
UK – US Data Bridge – the latest development on data transfers
We address the recent announcement by the UK Government that it reached a commitment with the US to establish a "data bridge", operating as an extension to the EU-US Data Privacy Framework.
Brazil: Sensitive personal data and the application of the LGPD
Demarest Advogados in Brazil consider recent case law which will help clarify how Brazil's courts will deal with claims seeking moral damages following breaches involving sensitive personal data.
EU GDPR fines and a new methodology to ensure consistency
The European Data Protection Board has recently issued new guidelines on the calculation of administrative fines under the GDPR. We review the harmonised starting point and methodology from which fines will now be calculated, and the possible impact across European data protection regimes.
The Austrian Post decision on non-material damage – a decision of clarity or ambiguity?
We examine the recent CJEU decision in Austrian Post, analysing whether the decision has brought clarity and harmonisation on an individual's entitlement to compensation for non-material damage under Article 82 of the GDPR.
Proposals to extend the "ban" on cold calls – unintended consequences for financial services providers?
We identify the potential risks to financial services companies as a result of the recent proposals within the UK Fraud Strategy to extend the ban on cold calling to cover all financial products.
