Data Protection News and Trends

In this update, we provide an overview of the UK Data Use and Access Bill and its current progress through Parliament. We highlight key proposed changes, including the clarified lawful basis “recognised legitimate interests”, updates to automated decision-making, data subject access requests (DSARs), protection of children's personal data and international transfers - all of which could impact the way UK organisations handle personal data.

Read more

The ICO issued several enforcement actions last year which point to a common issue around data protection awareness and that organisations are not providing adequate data protection training to employees. This article overviews the enforcement action, underscoring the importance of regular, comprehensive data protection training for employees to avoid costly penalties and reputational damage.

Read more

While AI enhances efficiency for employers in the recruitment process, it also creates potential risks around bias and discrimination. This article explores how employers use AI in hiring, the regulatory focus on these tools and key considerations for organisations to manage risk and compliance effectively.

Read more

In this update, we provide an overview of the ICO’s enforcement actions from the last couple of months. We spotlight noteworthy trends across both private and public sector organisations alike, emphasising why this is significant for your organisation. We also provide brief comments on the importance of safeguarding children’s data based on the ICO’s recent initiatives.

Read more

The EU recently adopted the Data Act, creating a new chapter in the block’s data governance approach. This article overviews the Data Act’s key provisions and its implications for businesses and consumers. 

Read more

The UK Parliament passed the Online Safety Act, which represents a major shift in regulating the use of the internet. The act seeks to control harmful online content to enhance the safety of UK internet users. 

Read more

The UK’s data protection reform draws nearer as the Data Protection and Digital Information Bill no. 2 continues to move its way through the parliamentary procedures. The bill proposes a number of changes for UK-based organisations, seeking to overhaul the existing data protection regime in several ways. 

Read more

In this update, we provide a refresher on what cookies and similar technologies are and review the ICO’s recent communication, warning organisations to ensure they are continuing to consider data protection law when using cookies or similar technologies to advertise to data subjects.  

Read more

The Irish Data Protection Commissioner (DPC) imposed a €1.2 billion fine on Meta Ireland for the failure to comply with the international data transfer rules contained in Chapter V of the GDPR. The decision provided clarity on important issues from standard contractual clauses to transfer impact assessments and Article 49 derogations and serves as a reminder of the importance of complying with international data transfer requirements.

Read more

The European Commission proposed the first-of-its-kind AI regulatory framework for the EU. The proposal, in the form of the draft AI Act, follows a risk-based approach: AI systems will be evaluated and categorised based on the level of risk they present to users, which will also determine the stringency of applicable regulatory requirements.

Read more

The last quarter saw significant developments in the international data transfer landscape. The EU-US Data Privacy Framework was implemented over the summer, paving the way for free flows of data between the jurisdictions. It was recently followed by the UK-US Data Bridge, an extension to the EU-US framework, allowing UK organisations to share data freely with US organisations that have self-certified with the framework.

Read more

In this update, we review ICO’s enforcement action in the last quarter, its areas of focus and/or concern. We highlight some of the key trends we noticed with respect to private and public sector organisations alike and also touch upon why this remains significant for your organisation. 

Read more.

In a historic move, the Irish Data Protection Commission (DPC) imposed a €345 million fine on TikTok Technology Limited (‘TikTok’) in September 2023. This decision arises from a TikTok breach of GDPR regulations, particularly concerning children's data. This fine follows a previous £12.7 million penalty by the UK's Information Commissioner. The DPC's in-depth investigation unveiled several significant findings, including public child profiles, security breaches, lack of transparency, and the use of 'dark patterns.' TikTok faces a substantial challenge to bring its practices in line with the law within three months, while maintaining their strong disagreement with the decision.

Read more

The ICO has a range of enforcement powers at its disposal, which can be used in the event of non-compliance with UK data protection regulation. In this update, we have analysed recent ICO enforcement action from October last year up to and including March this year, to identify any trends, areas of ICO focus and/or concern, and to highlight why this may be significant for your organisation.

Read more

Following the public consultation, in February 2023 the European Data Protection Board (EDPB) published finalised guidelines on the interplay between the territorial scope and GDPR’s international data transfer provisions. The guidelines set out a three-pronged approach for assessing whether a processing operation qualifies as an international transfer of personal data and provides illustrative examples of some of the most common international data transfer cases. UK businesses with an exposure to international data transfers caught by the EU GDPR should consider reviewing their arrangements in light of this document.

Read more

On March 15, 2023, the ICO updated its AI and Data Protection Guidance in response to the UK industry's request for clarity on AI fairness requirements. In this newsletter, we explore the updated AI Guidance, which will be an important starting point for any UK-based organisation’s data protection compliance journey when considering implementing AI solutions. We provide an overview of the key changes to the guidance, with a particular focus on the accountability and governance considerations in AI, the meaning of “Transparency”, “Lawfulness,” and “Fairness” in AI, and the highlighting of the key concepts to consider when implementing AI solutions.

Read more

In 2022, the UK announced a possible fine of £27m against TikTok for processing children's personal data without appropriate parental consent and failing to comply with the transparency principle and processing special category data without an appropriate lawful basis.

Read more

There were two key developments for international data transfers this year; the newly proposed data transfer framework between the EU and the US and the ICO’s new transfer risk assessment (TRA) tool and guidance.

In October 2022, the White House published an executive order implementing the EU-US Data Privacy Framework (DPF) into the US law. The EU Commission has initiated the process to adopt a final adequacy decision which is likely to take 6 months. While the decision does not directly affect UK-based organisations, the UK is likely to follow a similar approach so they should be aware of the outcome.

Read more

The ICO has released new guidance on direct marketing using electronic mail which explains the rules under the Privacy and Electronic Communications Regulations 2003 (PECR) and how companies should comply including by using consent and soft opt-in mechanisms.

Read more