2023 saw the fifth anniversary of the introduction of the General Data Protection Regulation, a piece of legislation which fundamentally altered the data protection landscape in the UK and Europe and heavily influenced data protection regimes around the world.
On that anniversary, we offered a detailed analysis of the influence of GDPR, and emerging challenges. The impact of this milestone legislation continues to be felt worldwide, with international regulators increasingly looking to enact their own rules on the regulation of data protection. The past year saw the passage of data protection-specific legislation in Indonesia and India, and we reported on developments in Brazil, where the data protection law celebrated its own fifth anniversary.
In the UK, as part of efforts to refine the existing data protection framework, the Government has successfully progressed the Data Protection and Digital Information (No.2) Bill through the House of Commons, following a previous false start. Concerns do remain over some legislative changes which the Bill proposes to introduce and we await scrutiny by House of Lords with interest.
In July, the European Commission adopted its decision granting adequacy status for the EU-US Data Privacy Framework – the new mechanism aimed at enabling compliance with EU data protection requirements when transferring personal data from the European Union to certified recipients in the United States. In response to the Framework, the UK Government laid regulations establishing the UK-US 'data bridge' allowing organisations in the UK to transfer personal data to US organisations on a similar basis. Our analysis noted that challenges would be likely and, we reported on the first tranche of such challenges in October.
From a UK legislative perspective, the passing of the Online Safety Bill represented a major milestone in privacy, and we considered steps that insurers and companies may need to take given the wide scope of application to those who provide online content. Ofcom confirmed its plans for putting the Online Safety Bill into practice, with phase one (the publication of draft codes and guidance for illegal harm duties) completed in 2023, and further developments planned for 2024.
The Information Commissioner's Office was responsible for notable developments through 2023. Online privacy issues including the issue of cookies and wider issues of online design were high on the agenda. In late 2023, the ICO issued a statement warning UK companies that they could face enforcement action if their use of advertising cookies did not comply with data protection law. This statement followed a previous call by both the ICO and Competitions and Markets Authority to end website design and practices which "undermine people’s control over their personal information and lead to worse consumer and competition outcomes."
Notable ICO guidance included that relating to the use of privacy enhancing technologies (PETs) and data subject access requests, specifically to assist employers.
The ICO was also represented in important judicial determinations this year. In November, the American facial recognition business, Clearview, successfully overturned the issue of a £7.5 million fine by the ICO in the First-tier Tribunal. On the face of it, this was a surprising decision, but the judgment provided useful guidance on the scope of the UK GDPR's application to data controller and processors established outside of the UK.
The first GDPR appeal to reach the Upper Tribunal argued that that the criminal standard of proof applied in appeals against the imposition of ICO Monetary Penalty Notices, rather than the lower, civil standard. The Upper Tribunal disagreed, resulting in consistency with the conventional principles in information law litigation. The Court of Appeal also held the ICO is entitled to take a broad view and a pragmatic approach to complaints in the decision of R (Delo) v Information Commissioner.
The end of the road for data privacy representative actions was reached in 2023. Or was it? The High Court decision in Prismall v Google and DeepMind, highlighted the difficulties that claimants face in putting together representative actions involving allegations of misuse of private information. It was confirmed in late 2023 that an appeal will be heard before the Court of Appeal in 2024.
We also highlighted the continued struggles in dealing with low value data breach claims (and how this area may evolve will be discussed in our upcoming 2024 Insurance Predictions) and the impact of the extension of the fixed recoverable costs regime on these claims.
In the EU, the European Data Protection Board ramped up its own efforts to ensure cookie compliance by publishing new draft guidelines on the ePrivacy Directive which could potentially extend the legislation's application to emerging technologies. This step by the EPDB followed the culmination of a series of decisions involving Meta which calls into question the adtech model.
In January 2023, the Irish Data Protection Commission published final rulings against Meta for violations of the GDPR in relation to both its Facebook and Instagram services. The outcome forced Meta to alter its stated legal basis for processing personal data for behavioural advertising. However, the Norwegian data protection authority issued a temporary ban on Meta processing personal data for behavioural advertising on the legal bases of contract and legitimate interest. Meta’s appeal against the ban failed and the Norwegian DPA referred to the EDPB asking for the ban behavioural advertising on Facebook and Instagram be made permanent and extended to the entire EU/EEA. The EDPB agreed, and in early November, the EDPB issued an instruction to the Irish DPC to issue a permanent ban.
The initial ruling against Meta in January also imposed revised fines of €210 million and €180 million for their breaches of GDPR. In the five years since the introduction of the EU GDPR, data protection authorities across the EU have become increasingly comfortable reprimanding companies in breach. In an effort to "achieve consistent approach to the imposition of administrative fines that adequately reflects all of the principles in the GDPR", the EDPB issued guidelines on the calculation of administrative fines under the GDPR in June.
The European Commission also proposed new rules to ensure the effectiveness of enforcement in cross-border GDPR cases. The new regulation seeks to streamline and harmonise various aspects of the administrative mechanisms necessary in cross-border cases.
Finally, the spirit of cooperation and harmony between nations is going to be needed to deal with the most significant technological development of the past year, artificial intelligence. The last 12 months saw the evolution of numerous data protection and privacy issues identified with the ever-increasing use of artificial intelligence technology.
As early as March 2023, the Italian data regulator (Garante) issued an order banning the AI 'virtual friendship' Replika app from processing user data. Acting at the forefront of formal action, the Italian regulator also temporarily banned Italian users from using ChatGPT.
These actions precipitated a flurry of activity on the part of European regulators, with the UK ICO also acting in respect of generative AI for the first time by issuing a preliminary enforcement notice in regards to a failure to properly assess the privacy risks associated with the chatbot from Snap, 'my AI'.
The United States also saw the commencement of numerous class actions which largely consider whether data and images have been improperly obtained and then used as part of training datasets for the AI platforms.
Moving into 2024, and as the need for regulation of artificial intelligence technology becomes ever more urgent, we expect that further actions by data protection authorities and litigation will be on the way.
