Data Protection News and Trends

The Irish Data Protection Commissioner (DPC) imposed a €1.2 billion fine on Meta Ireland for the failure to comply with the international data transfer rules contained in Chapter V of the GDPR. The decision provided clarity on important issues from standard contractual clauses to transfer impact assessments and Article 49 derogations and serves as a reminder of the importance of complying with international data transfer requirements.

Read more

The European Commission proposed the first-of-its-kind AI regulatory framework for the EU. The proposal, in the form of the draft AI Act, follows a risk-based approach: AI systems will be evaluated and categorised based on the level of risk they present to users, which will also determine the stringency of applicable regulatory requirements.

Read more

The last quarter saw significant developments in the international data transfer landscape. The EU-US Data Privacy Framework was implemented over the summer, paving the way for free flows of data between the jurisdictions. It was recently followed by the UK-US Data Bridge, an extension to the EU-US framework, allowing UK organisations to share data freely with US organisations that have self-certified with the framework.

Read more

In this update, we review ICO’s enforcement action in the last quarter, its areas of focus and/or concern. We highlight some of the key trends we noticed with respect to private and public sector organisations alike and also touch upon why this remains significant for your organisation. 

Read more.

In a historic move, the Irish Data Protection Commission (DPC) imposed a €345 million fine on TikTok Technology Limited (‘TikTok’) in September 2023. This decision arises from a TikTok breach of GDPR regulations, particularly concerning children's data. This fine follows a previous £12.7 million penalty by the UK's Information Commissioner. The DPC's in-depth investigation unveiled several significant findings, including public child profiles, security breaches, lack of transparency, and the use of 'dark patterns.' TikTok faces a substantial challenge to bring its practices in line with the law within three months, while maintaining their strong disagreement with the decision.

Read more

After the parliamentary debate on the UK’s data protection reform was put on hold in September 2022 the UK has now re-introduced the Data Protection and Digital Information (No. 2) Bill (the ‘Bill). The Bill proposes a number of changes to the current UK data protection regime. We have summarised our top 5 potential amendments that are most likely to affect your organisation.

Read more

The ICO has a range of enforcement powers at its disposal, which can be used in the event of non-compliance with UK data protection regulation. In this update, we have analysed recent ICO enforcement action from October last year up to and including March this year, to identify any trends, areas of ICO focus and/or concern, and to highlight why this may be significant for your organisation.

Read more

Following the public consultation, in February 2023 the European Data Protection Board (EDPB) published finalised guidelines on the interplay between the territorial scope and GDPR’s international data transfer provisions. The guidelines set out a three-pronged approach for assessing whether a processing operation qualifies as an international transfer of personal data and provides illustrative examples of some of the most common international data transfer cases. UK businesses with an exposure to international data transfers caught by the EU GDPR should consider reviewing their arrangements in light of this document.

Read more

The ICO has issued TikTok a £12.7 million fine for processing children's personal data without appropriate parental consent and failing to process the data of UK users lawfully, fairly and in a transparent manner. This is significantly lower than the original ICO notice of intent for TikTok, which was for a fine of £27 million in 2022 and also took account impugned failures in relation to the handling of special category data.

Read more

The Information Commissioner's Office (ICO) has published the Children's Code (also known as the Age-Appropriate Design Code) to help organisations protect children's personal data online, ensure that online services likely to be accessed by children are appropriate for their use and meet their developmental needs. In this newsletter, we discuss the Code's requirements for handling children's data, the scope of the Code, the essential set of standards for adhering to the best interests of the child, and the legal requirements to demonstrate accountability for data controllers. We also provide a list of the tools, roadmaps, and guidelines published by the ICO to help you assess risks and ensure you act in the children's best interests.

Read more

The ICO has recently published guidance on ‘Privacy in the product design lifecycle’, which seeks to help readers to understand how to embed the principles of data protection by design and default when developing a product or service. More specifically, the guidance is aimed at technology professionals such as product and user experience (UX) designers, software engineers, quality assurance (QA) testers and product managers. The guidance contains advice for various stages throughout product/service development, namely: kick-off, research, design, development, launch, and post-launch phases.

Read more

On March 15, 2023, the ICO updated its AI and Data Protection Guidance in response to the UK industry's request for clarity on AI fairness requirements. In this newsletter, we explore the updated AI Guidance, which will be an important starting point for any UK-based organisation’s data protection compliance journey when considering implementing AI solutions. We provide an overview of the key changes to the guidance, with a particular focus on the accountability and governance considerations in AI, the meaning of “Transparency”, “Lawfulness,” and “Fairness” in AI, and the highlighting of the key concepts to consider when implementing AI solutions.

Read more

The UK government announced plans in 2021 to expand the list of countries that provide adequate data protection, allowing UK organizations to share personal data without additional safeguards. In November 2022, the UK finalised its first-ever adequacy regulation with South Korea, following its exit from the EU. This allows free flows of data between the UK and South Korea.

Read more

The ICO will now publish data protection complaints, self-reported data breach cases and civil investigations data sets on its website.

Read more

In 2022, the UK announced a possible fine of £27m against TikTok for processing children's personal data without appropriate parental consent and failing to comply with the transparency principle and processing special category data without an appropriate lawful basis.

Read more

Ireland's DPC submitted a preliminary decision to other EU supervisory authorities about TikTok's processing activities, focusing on platform settings and age verification for children.

Read more

There were two key developments for international data transfers this year; the newly proposed data transfer framework between the EU and the US and the ICO’s new transfer risk assessment (TRA) tool and guidance.

In October 2022, the White House published an executive order implementing the EU-US Data Privacy Framework (DPF) into the US law. The EU Commission has initiated the process to adopt a final adequacy decision which is likely to take 6 months. While the decision does not directly affect UK-based organisations, the UK is likely to follow a similar approach so they should be aware of the outcome.

Read more

Following the Schrems II judgment, UK controllers must conduct a transfer risk assessment (TRA) before making an international data transfer to a non-adequate jurisdiction.

The ICO has finalised and published the long-awaited TRA guidance and an accompanying assessment tool, which should be used in conjunction with a relevant data transfer tool such as the ICO’s International Data Transfer Agreement.

Read more

The ICO has released new guidance on direct marketing using electronic mail which explains the rules under the Privacy and Electronic Communications Regulations 2003 (PECR) and how companies should comply including by using consent and soft opt-in mechanisms.

Read more

In October 2022, the European Data Protection Board (EDPB) approved the first-ever "European Data Protection Seal" under Article 42 (5) of the GDPR. While the certification only applies to a process as opposed to the organisation as a whole, it will be recognised in all EU countries.

Read more