Our 'In Case You Missed It' section of the Data, Privacy and Cyber Bulletin provides readers with a high-level digest of important regulatory and legal developments at the end of 2024 and the first month of 2025.
Contents
Case Law Updates
Data Protection Commission v European Data Protection Board (In Joined Cases T-70/23, T-84/23 and T111/23)
The General Court of the European Union has issued a ruling clarifying the authority of the European Data Protection Board to compel lead supervisory authorities (such as the Irish Data Protection Commission) to open new investigations. Our detailed article this month discusses this decision in full, and the judgment can be found here.
Doorstep Dispensaree Limited v The Information Commissioner [2024] EWCA Civ 1515
The Court of Appeal unanimously dismissed an appeal by Doorstep Dispensaree Limited in respect of a monetary penalty notice issued by the Information Commissioner's Office in December 2019. The ICO had initially levied a fine of £275,000 against Doorstep Dispensaree for leaving copies of sensitive patient data in an unsecure courtyard.
The company appealed to the First-tier Tribunal who upheld the fine but reduced the amount to £94,000 on the basis that less data was involved than the ICO believed. Doorstep Dispensaree further appealed, unsuccessfully, to the Upper Tribunal and finally to the Court of Appeal. Dismissing the final appeal, the Court of Appeal held that the burden of proof in an appeal against a penalty notice under the Data Protection Act 2018 lay with the appellant in establishing the grounds for setting aside the penalty. In other words, when appealing a monetary penalty notice, the appeal is not a full review on the merits with a blank sheet of paper but the appellant carries the burden of proof to overturn the originating decision.
The decision was welcomed by the ICO. The full judgment can be found here.
Prismall v (1) Google (2) DeepMind [2024] EWCA Civ 1516
The Court of Appeal upheld the decision of the High Court in a representative action for the tort of misuse of private information on behalf of the appellant and an approximate class of 1.6 million members. Our analysis of the High Court decision can be found here.
The limited prospect of successful collective redress for data privacy breaches has been reinforced by this recent decision. The ‘same interest’ test applied by the Supreme Court in Lloyd v Google was again applied, with the court specifically noting that a representative class claim for misuse of private information “is always going to be very difficult to bring”. In this instance, “relevant circumstances will affect whether there is a reasonable expectation of privacy for any particular claimant, which will itself affect whether all of the represented class have “the same interest.” The determination that some of the represented claimants had publicly shared their information, such that it was no longer private, was one of the fatal factors to the class claim.
The full judgment can be found here.
Regulatory Developments
Data (Use and Access) Bill passes House of Lords
The Data (Use and Access) Bill has passed the House of Lords, following successful report and third reading stages in January and early February. There were additions of note to the Bill at report stage in the House of Lords:
- The annual report produced on the ICO will now be required to include "an assessment of the Commissioner's performance of [its] duties"
- Provisions relating to the operation of web crawlers and ensuring that there is compliance with UK copyright law by operators of these web crawlers and general-purpose AI models
The Bill has now moved to the House of Commons, where first and second readings have been completed. This Bill has now been sent to a Public Bill Committee which will scrutinise the Bill line by line and is expected to report to the House by Tuesday 18 March 2025.
Ransomware consultation on increasing incident reporting and reducing payments to criminals
The UK Government has commenced a consultation on proposals to introduce legislation targeted at countering the threat from ransomware, with three main objectives:
- Reducing the amount of money flowing to ransomware criminals from the UK, thereby deterring criminals from attacking UK organisations
- Increasing the ability of operational agencies to disrupt and investigate ransomware actors by increasing our intelligence around the ransomware payment landscape
- Enhancing government understanding of the threat landscape to inform future interventions, including through cooperation at international level
Please refer to our detailed analysis piece on the proposals this month. The consultation documentation can be found here and closes on 8 April 2025.
The EU Digital Operational Resilience Act takes effect
From 17 January 2025, the EU Digital Operational Resilience Act (DORA) has applied across the EU, impacting how financial entities prevent and respond to cyber threats and other ICT-related disruptions. A number of experts from across our firm have previously set out a summary of the background to DORA.
President Trump signs Executive Order on US AI policy
In a move away from the policy of the previous Biden administration, President Trump issued an Executive Order shortly after taking office aimed at 'Removing barriers to American leadership in Artificial Intelligence'. The order is a fundamental shift in AI governance in the United States, focused on American interests as opposed to the international cooperation sought under President Biden.
In terms of specific measures, the order compels the development of an AI Action Plan, and the revision and reissue of Office of Management and Budget memoranda relating to AI to remove 'harmful barriers' to American AI leadership. The Executive Order can be found here, and the accompanying White House factsheet.
Data & Privacy Developments
ICO updates position on generative AI and data protection following consultation series
Following a consultation series which considered five key areas of generative AI and data protection, the ICO issued updated guidance on two of these areas. In respect of the legitimate interests lawful basis for web scraping to train gen AI models, the ICO noted that the invisible nature of web scraping means it occurs without people being aware of their data being processed This means that developers may struggle to meet the requirements of the legitimate interests balancing test. The ICO recommends that "generative AI significantly improve their approach to transparency".
When engineering individual rights into generative AI models, the ICO updated its guidance to reflect that organisations as controllers must design and build system that implement data protection principles effectively and integrate necessary safeguards into the processing. The ICO's position on purpose limitation, accuracy and controllership remain the same as prior to the consultation. The ICO makes clear that a further update to the guidance will be issued following any changes to data protection law made by the Data (Use and Access) Bill, and guidance will also align with their forthcoming joint statement of foundation models with the Competitions and Markets Authority. The full suite of ICO commentary as it stands can be accessed here.
European Data Protection Board issues opinion on processing of personal data in context of AI models
The European Data Protection Board (EDPB) released Opinion 28/2024 on certain data protection aspects related to the processing of personal data in the context of AI models. The Opinion considers a number of different topics including when and how an AI model can be considered anonymous and the use of ‘legitimate interests’ as a legal basis for developing or using AI models. The opinion also sets out views on general considerations such as accountability, transparency and purpose limitation.
Specifically on web-scraping, the EDPB provides a non-exhaustive list of mitigating measures in relation to the development phase, including the provision of web scraping. However, the opinion emphasises that any mitigating measures: “may be subject to rapid evolution and should be tailored to the circumstances of the case. The opinion was accompanied by a press release which expressly stated that the EDPB is “currently developing guidelines covering more specific questions, such as web scraping.”
The full text of Opinion 28/2024 can be found here. The response of the Irish Data Protection Commission, who initially requested the Opinion, can be accessed here.
Italian DPA fines OpenAI €15 million for data protection violations
Tied into the above opinion from the EDPB, the Italian data protection authority, Garante, announced in December it had fined OpenAI €15 million for processing "users' personal data to train ChatGPT without first identifying an adequate legal basis and violated the principle of transparency and the related information obligations towards users. Furthermore, OpenAI has not provided mechanisms for age verification, with the consequent risk of exposing minors under 13 to responses that are unsuitable for their level of development and self-awareness."
OpenAI has indicated it would appeal the fine. The English translation of the Garante announcement can be found here.
ICO launches 2025 online tracking strategy
The ICO has announced its online tracking strategy for the year ahead, emphasising a focus on online advertising to give "people meaningful control over how they are tracked online and uphold a level playing field for all online services." The ICO highlighted concerns from organisations that there was a 'first mover disadvantage' in terms of revenue and insight for those who unilaterally act to comply with data protection law. ICO action is necessary to produce change. Details of the announcement can be found here.
Also forming part of this strategy is the extension of a review commenced at the end of 2023. At that time, the ICO carried out a review of cookie banners and policies on the 200 most visited UK websites, proactively writing letters to those that were noncompliant and threatening enforcement action if changes were not made. The ICO announced an extension to this approach now involving a compliance review of the top 1,000 most popular websites in the UK. The ICO's announcement of this plan can be found here.
ICO issues 'consent or pay' guidance
Following a call for views in 2024, the ICO has issued guidance on 'consent or pay' business models, also known as 'pay or ok' models. These models are summarised by the ICO as "giving people a choice between accessing online services without payment if they consent to their personal information being used for personalised advertising or, if they refuse this consent, having to pay to access that service.”
The guidance sets out a framework of factors that organisations must consider when identifying if a 'consent or pay' model meets the standard of consent, building on existing UK GDPR standards and ICO guidance. The full suite of guidance can be found here.
ICO concludes consultation on public sector approach
Since June 2022, the ICO trialled an approach to reduce the impact of fines on the public (who ultimately fund the payment of fines imposed on public sector bodies). In practice, this has resulted in an increase in public reprimands and the use of other powers, including enforcement notices, with fines intended to be reserved for only the most egregious cases.
The Information Commissioner confirmed in December 2024 that this public sector approach will now be made permanent. However, the Commissioner emphasised that further and greater clarity on the parameters of this approach was necessary. A consultation was commenced, concluding on 31 January, to provide further guidance on the scope of the approach and the factors and circumstances that would make it appropriate to issue a fine to a public authority.
ICO sets out plans for new and detailed guidance in 2025 and beyond
As we move into 2025, the ICO has produced an updated list of guidance it is developing over the coming year and beyond as well as when it expects to publish this guidance.
EDPB adopts report on right of access by controllers
The EDPB has adopted a report on the implementation of the right of access by controllers. The report summarised a number of coordinated actions carried out in 2024 under the Coordinated Enforcement Framework. The CEF is aimed at streamlining enforcement and cooperation among data protection authorities.
The report, listing issues observed for some controllers, noted that awareness of Guidelines 01/2022 (Data subject rights – rights of access) needs to be improved, both at national and EU level. A number of recommendations to help controllers implement the right of access are set out within the report, which can be found here.
EDPB adopts pseudonymisation guidelines
The EDPB adopted guidelines on pseudonymisation, aiming for the reduction of risks to data subjects by preventing the attribution of personal data to natural persons in the course of data processing. The guidelines set out pseudonymisation can help organisations meet their obligations relating to the data protection principles, security and data protection by design and default.
The guidelines will be subject to public consultation until 28 February 2025.
Netflix fined €4.75 million for not properly informing customers of use of data
Under the one-stop-shop procedure, the Dutch Supervisory Authority (DSA) has issued a fine of EUR 4.75 million against the streaming provider, Netflix. The DSA, as the lead supervisory authority due to Netflix having its main European establishment in the Netherlands, responded to the complaint by the privacy activist group, noyb. The investigation found that "Netflix did not inform customers clearly enough in its privacy statement about what exactly Netflix does with [customer] data," nor did Netflix provided sufficient information when it was asked by customers about the information collected on them.
Details of the complaint and decision can be found on the EDPB website. The response from noyb can be found here.
Cyber Developments
NCSC publishes annual review for 2024
Released in December 2024. the National Cyber Security Centre Annual Review highlighted that ransomware continues to be the most immediate and significant threat to critical national infrastructure in the UK. The report noted the threats posed by Russia, Iran and North Korea, among others.
The NCSC's Incident Management team, responding to serious cyber incidents, provided support on 430 incidents, compared to 371 in the previous year. There were twelve incidents at the top end of the 'nationally significant' scale, a three-fold increase on the previous year. The NCSC report can be accessed here.
EU adopts laws to strengthen cybersecurity capabilities
In early December 2024, the European Council adopted two laws to provide the EU with the capabilities to detect, prepare for and respond to cybersecurity threats and incidents. The EU Cyber Solidarity Act creates a new pan-European alert system, with national and cross-border cyber hubs across the EU charged with sharing information and detecting and acting upon cyber threats. A targeted amendment to the Cybersecurity Act of 2019 was also introduced, by enabling the future adoption of European certification schemes for managed security services.
The Council's press release to accompany the news can be found here.
EU Cyber Resilience Act takes effect
The Cyber Resilience Act (CRA) entered into force on 10 December 2024. The CRA introduces cybersecurity requirements for the for design, development, production of 'products with digital elements'. This definition covers both hardware and software products, including software or hardware components placed on the market separately. This covers products such as smart or connected household devices. Applying to manufacturers, distributors and importers of those products with digital elements placed in the EU, non-EU companies intending to sell their products in the EU will need to ensure compliance.
The majority of the CRA's provisions will apply from 11 December 2027 affording impacted parties 36 months to comply with any new cybersecurity and reporting requirements. However certain elements will come into application before this, with Article 14 (manufacturers' reporting obligations) applying from 11 September 2026, providing only a 21 month period of compliance for manufacturers in respect of their reporting obligations as manufacturers and Chapter IV (notification of conformity assessment bodies) applying from 11 June 2026.
The link to the Official Journal entry can be found here.
