By Jade Kowalski, Charlotte Halford, Peter Given & Hans Allnutt

|

Published 04 October 2024

Overview

Our 'In Case You Missed It' section of the Data, Privacy and Cyber Bulletin provides readers with a high-level digest of important regulatory and legal developments in the previous month.

 

Contents

  1. Case Law Updates
  2. Regulatory Developments
  3. Data & Privacy Developments
  4. Cyber Developments

 

Case Law Updates

TR v Land Hessen Case C‑768/21

The Court of Justice of the European Union has handed down a judgment of interest in respect of GDPR breaches and whether data protection authorities are obligated to exercise corrective powers (such as fines). The judgment can be found here.

In Germany, a savings bank found that one of its employees had consulted an individual customer's personal data on several occasions, without being authorised to do so. Following the discovery, the savings bank did not inform the customer, as its data protection officer had taken the view that there was no high risk to the individual. The customer become aware that his data had been improperly accessed and issued a complaint to the Hessen Commissioner for Data Protection and Freedom of Information (“HBDI”) The savings bank made representations to the HBDI, as part of which the employee in question confirmed in writing that she had neither copied nor retained the data, that she had not transferred the data to third parties and that she would not do so in the future. The savings bank had taken disciplinary measures against her. The HBDI elected to take no corrective measures against the savings bank. The customer issued proceedings in the German courts, who then referred the question to the CJEU for a preliminary ruling on this issue on the interpretation of Article 57(1)(a) and (f), Article 58(2) and Article 77(1) GDPR.

The CJEU found that when a breach of personal data has been established (which it was here due to the unauthorised access), the supervisory authority is not obliged to exercise a corrective power, in particular the power to impose an administrative fine, where this is not necessary to remedy the shortcoming found and to ensure that the GDPR is fully enforced. This could be the case, inter alia, where, as soon as the controller became aware of the breach, it took the necessary measures to ensure that that breach was ended and did not recur.

 

Regulatory Developments

Irish Data Protection Commission issues €91 million fine to Meta

The Irish Data Protection Commission has concluded an investigation into Meta Platforms Ireland Limited, after Meta notified the DPC that certain passwords of social media users had been stored on internal systems without protection or encryption.

The DPC issued a reprimand to Meta, and administrative fines totalling €91 million, pursuant to Articles 58(2)(i) and 83 GDPR respectively.

The DPC press release confirming the outcome of the investigation can be found here. The DPC will publish the full decision in due course and practitioners will await this with great interest to understand the position the DPC has taken and the reasons behind it. 

 

Irish DPC commences cross-border enquiry into Google AI model

Our detailed piece on Data Protection Impact Assessments this month discusses the news that the Irish DPC commenced a cross-border statutory inquiry into Google Ireland Limited ("Google") arising from Google's processing of user personal data to help to develop its AI model, Pathways Language Model.

The DPC also confirmed the conclusion of proceedings brought before the Irish High Court commenced in respect of plans by X to train its AI tool, Grok, on personal data contained within the public posts of X’s EU/EEA users.

 

ICO acts against Sky Betting and Gaming for using cookies without consent

The ICO issued a reprimand to the company trading as 'Sky Betting and Gaming' for unlawfully processing personal data through advertising cookies without having obtained the valid consent of the relevant data subjects. An investigation by the Clean Up Gambling group in January 2022 alleged that the company was transferring extensive amounts of personal data to third parties without obtaining informed consent from data subjects. The Information Commissioner conducted an investigation, which found that between January and March 2023 certain cookies were being deployed before users interacted with the site’s case management platform, with the result that users’ personal data was being processed and made available to AdTech Vendors through the use of cookies and without the individuals' knowledge or consent.

In response, Sky Betting and Gaming made changes to its processes in March 2023 so that going forwards, users could reject advertising cookies before their personal information was shared. Taking into account all of the circumstances, the ICO held that a reprimand was an effective, proportionate and dissuasive measure in this instance. The reprimand can be found here.

 

European Commission to consult on standard contractual clauses

The European Commission is preparing a consultation on new standard contractual clauses (SCCs) for transferring personal data to third-country controllers and processors which are subject to the EU GDPR. This is to address the somewhat awkward situation whereby currently an overseas controller or processor who is caught by the extra territorial effect of the EU GDPR has to sign up to the full SCCs in the same manner as a data importer who is not caught. The SCCs will therefore complement the existing clauses for data transfers to third country importers not subject to the GDPR.

Details of the Commission initiative can be found here, which confirms that a public consultation is planned for the fourth quarter of 2024, with adoption planned for the second quarter of 2025.

 

European Data Protection Board and Commission to work on GDPR / DMA interplay guidance

The European Data Protection Board and European Commission have agreed to work together to clarify, and provide guidance on, the interplay between GDPR and the Digital Markets Act. The collaboration will focus on the applicable obligations of digital gatekeepers to ensure coherent application of the relevant digital frameworks.

The EDPB press release on this announcement can be found here.

 

Data & Privacy Developments

Meta resumes plans to train AI on UK user data

Following a decision earlier this year to pause the training of its large language AI models on user data, Meta has restarted training AI using public content shared by adults on Facebook and Instagram in the UK.

In response to concerns about the ability of users to opt out of these steps, Meta confirmed that adult Facebook and Instagram users in the UK “will start receiving in-app notifications… including how they can access an objection form at any time to object to their data being used to train our generative AI models.” Meta has commenced similar steps in Brazil, where the data protection authority, ANPD, had suspended a preventative order it had previously issued. That order had required Meta to suspend the use of personal data published on its platforms for AI systems training purposes.

The ICO issued a statement in response to Meta’s decision. Stephen Almond, Executive Director Regulatory Risk at the ICO reiterated that the ICO has “been clear that any organisation using its users’ information to train generative AI models needs to be transparent about how people’s data is being used… The ICO has not provided regulatory approval for the processing and it is for Meta to ensure and demonstrate ongoing compliance.”

 

LinkedIn AI data policy changes generate ICO response

LinkedIn updated its UK data policy in September, meaning that users were automatically opted into training its AI models, without first giving approval for the use of their data in this way. Users were instead required to opt-out via the platform settings. LinkedIn confirmed that it would not be training AI models using data from the EU, EEA and Switzerland.

In response to concerns raised by the general public, LinkedIn suspended the training of these models in the UK pending further engagement with the ICO, who released a statement in response, which can be found here.

 

Office of the Australian Information Commissioner issues statement on Clearview AI

The Australian Information Commissioner has issued a recent statement on Clearview AI, the facial recognition technology company, following reports that Clearview was still collecting images of individuals in Australia.

The OAIC had made declarations against Clearview back in 2021, and the company withdrew from an appeal process. The original determination therefore still stands, as do the declarations contained therein, including that Clearview AI must not collect images from individuals in Australia and must delete all images it had previously collected from individuals in Australia.

No further action was found to be warranted at this time, and the OAIC statement can be found here.

 

Cyber Developments

ICO and NCA sign a memorandum of understanding for further collaboration on cyber security

The ICO and National Crime Agency (NCA) have signed a Memorandum of Understanding (MoU) committing to collaborate to improve cyber resilience in the UK. The MoU establishes a framework for cooperation and information sharing the between the two organisations and sets out the broad principles of collaboration and the legal framework governing information sharing.

The MoU sets out that the NCA and ICO will undertake various collaborative actions such as:

  • Sharing intelligence on international development and opportunities in relation to cyber security;
  • Sharing information such as relevant cyber threat information (NCA) and cyber incidents (ICO), although it is made clear that the Information Commissioner will not make onward disclosure of the data shared by the NCA, unless prior consent is obtained. In addition, appropriate security measures will be put in place to protect information transfers in accordance with the sensitivity and classification of the information;
  • Reminding parties of their regulatory obligations in the event that an incident is reported by a third party to one organisation, where that incident should also be notified to the other. The NCA and ICO will be expected to coordinate management of cyber incidents in order to minimise disruption to the affected organisation; and
  • Harmonisation of public communications where matters or incidents involve both organisations, and amplification of each other’s messages to promote learning, consistent guidance and standards.

The Memorandum of Understanding can be found here, along with the ICO and NCA press releases.

 

NCSC issue alerts in respect of Russian and Iranian cyber threats

The National Cyber Security Centre contributed to a joint advisory document revealing tactics and techniques used by Russian military actors as part of their operations, including offensive cyber operations. To prevent impacts on UK organisations, the NCSC strongly advises network defenders to follow the recommended actions set out in the advisory document, to bolster their cyber resilience. The press release can be found here.

The NCSC also issued a joint advisory with US partners, sharing details of how cyber attackers working with the Iranian Islamic Revolutionary Guards Corps are using social engineering techniques to obtain access to personal and business accounts and information online. The threat actors exfiltrate and delete messages and set up email forwarding rules. Targets of this threat are understood to be individuals with a connection to Iranian and Middle Eastern affairs. The press release can be found here.

 

UK data centres to be identified as critical national infrastructure

The Technology Secretary, Peter Kyle MP, announced that UK data centres will now be designated as Critical National Infrastructure (CNI); this is the first time since 2015 that a new designation of this nature has been made, when it was applied to the Space and Defence sectors.

This change will result in the creation of a dedicated CNI data infrastructure team of senior government officials, to monitor and anticipate potential threats. In addition, CNI status is intended to deter cyber criminals from targeting data centres housing health and financial data. The announcement emphasised that the Crowd Strike incident earlier this year, demonstrated the catastrophic impact that cyber incidents can cause to the general public. CNI status will now mean that, in the event of an attack on a data centre hosting NHS patient data, this would result in government intervention to mitigate the risk of damage to essential services.

The press release can be found here.

 

ENISA publishes Threat Landscape report for 2024

The European Agency for Cybersecurity (ENISA) has published its 2024 Threat Landscape Report which identifies the major cybersecurity threats facing organisations in the European Union. The report identifies seven key threats including ransomware, malware and social engineering. With the NIS2 Directive entering into force in late 2024, the report also undertakes an analysis of the threat landscape faced by various sectors with public administration, transport and finance specifically identified as targets.

The report can be downloaded from this link.

Authors