On 3 October 2023, the Information Commissioner’s Office (ICO) published guidance (the Guidance) on lawful monitoring in the workplace. The Guidance provides advice to companies to help them comply with their obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018) when monitoring anyone who performs work on their behalf. This is not limited to employees and could include monitoring of workers or those who are self-employed.Continue Reading UK Workplace monitoring – are you compliant?
On 19 September, the Department for Science, Innovation and Technology (DSIT) announced in a press release that it is to launch a pilot advisory service next year, called the DRCF AI and Digital Hub.
This service will be operated by members of the Digital Regulation Cooperation Forum (DRCF), made up of the Information Commissioner’s Office (ICO), the Office of Communications (Ofcom), the Competition and Markets Authority (CMA) and the Financial Conduct Authority (FCA).
The DRCF AI and Digital Hub will provide businesses with tailored advice and support regarding how to meet requirements across multiple regulatory regimes. The DSIT anticipates that this service will expedite the process of getting new products and innovations to market, in a safe and responsible manner.
As such, the launch of the DRCF AI and Digital Hub will likely be welcome news for businesses across the UK, providing companies and innovators with the tools to navigate a challenging and multi-layered regulatory environment.
Further to the joint announcement in June by UK Secretary of State for Science, Innovation, and Technology and the US Commerce Secretary of their intention to create a UK-US data bridge (please see our blog for further details), the UK government has passed a Regulation establishing a UK-US data bridge. The data bridge comes in the form of an extension to the EU-US Data Bridge Privacy Framework (the DPF) and will come into force on 12 October.Continue Reading UK government announces a UK data bridge with the US
On 11 September 2023, the UK’s Department for Science, Innovation, and Technology (DSIT), published the draft Data Protection (Fundamental Rights and Freedoms) (Amendment) Regulations 2023 (DP Regulations), which seek to amend the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 (DPA 2018).Continue Reading DSIT publishes draft amendments to the UK GDPR and DPA 2018
The House of Commons Committee on Science, Innovation and Technology (the Committee), embarked on an inquiry in October 2022 to assess the impact of artificial intelligence (AI) on various sectors, AI regulation, and the UK Government’s AI governance proposals. The resulting interim report, published on 31 August 2023, offers valuable insights, particularly from a legal standpoint, on the challenges and approaches related to AI governance in the UK.Continue Reading AI, a Double-Edged Sword: Recommendations from the Committee’s Interim Report on AI
On July 26, 2023, the U.S. Securities and Exchange Commission (“SEC”) adopted new rules specifying enhanced disclosure regarding cybersecurity risk management, strategy governance, and incident disclosure. The SEC first proposed new cybersecurity rules back in March 2022. The agency’s comments to the final rule suggest greater disclosure and improved consistency of disclosures will benefit investors. Several of the key aspects of the final rules are outlined below, and ultimately will probably be navigable for organizations with meaningful incident response and evaluation experience as well as robust risk management programs which already include and evaluate cybersecurity.Continue Reading SEC Issues Final Cybersecurity Rules Enhancing and Modifying Disclosure Requirements: Companies will want to Measure Twice and Cut Once
The UK Department for Culture, Media and Sport published draft Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (Draft Security Regulations). These regulations fall under the Product Security and Telecommunications Infrastructure Act 2022 (PSTIA) which come into effect on 29 April 2024 and which you can read about in our earlier blog. Part 1 of the PSTIA establishes a regulatory framework that imposes security requirements on manufacturers, importers, and distributors of these products. The Draft Security Regulations outline the specific security requirements for manufacturers.Continue Reading Navigating the Path to Compliance: Takeaways from the New Draft Security Regulations for Connected Devices
The European Commission (EC) issued the long-awaited adequacy decision for the new EU-U.S. Data Privacy Framework (Framework) on July 10, 2023. The Court of Justice of the European Union (CJEU) had previously invalidated both the U.S.-EU Safe Harbor in 2015, and the U.S.-EU Privacy Shield in 2020 after challenges by Austrian privacy activist Max Schrems (CJEU decisions known as Schrems I and Schrems II, respectively). Following those decisions President Biden signed Executive Order 14086 on “Enhancing Safeguards for United States Signals Intelligence Activities”, which introduced new binding safeguards. Our previous client alert discussed how the draft adequacy decision, including in relation to this this Executive Order, addressed concerns raised in Schrems II.Continue Reading Third Time’s a Charm: European Commission adopts EU-U.S. Data Privacy Framework
On June 27, 2023, the Council of Europe (“CoE”) announced the adoption of its first module of the Model Contractual Clauses (“MCCs”) for cross-border data transfers based on the Protocol amending the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention 108+). These model clauses aim to regulate data flows between data controllers and are recommended for adoption by competent authorities.Continue Reading Convention 108+: The Council of Europe Releases Model Contractual Clauses for Global Data Transfers
On 7 June 2023, the European Union Agency for Cybersecurity (ENISA) released a report Multilayer Framework for Good Cybersecurity Practices for AI (“Framework”) in response to the evolving landscape of artificial intelligence (AI) and the associated cybersecurity challenges. The publication aims to establish a robust framework that promotes cybersecurity practices throughout the entire lifecycle of AI, ranging from conceptualization to decommissioning. This blog summarises the main features of the Framework.Continue Reading ENISA Releases Comprehensive Framework for Ensuring Cybersecurity in the Lifecycle of AI Systems
On 19 June 2023, the Information Commissioner’s Office (ICO) has released new Guidance on Privacy-Enhancing Technologies (PETs) for Data Protection Compliance. This guidance is designed to assist data protection officers (DPOs) and individuals responsible for managing large-scale personal data sets across diverse sectors, including finance, healthcare and research.Continue Reading Guidance on Privacy-Enhancing Technologies for Data Protection Compliance: Key Considerations for Organizations
On 12 September 2023, the UK Information Commissioner and the Chief Executive of the National Cyber Security Centre (NCSC), signed a joint Memorandum of Understanding (MoU), which establishes how the NCSC and the Information Commissioner’s Office (ICO) will cooperate. The NCSC is the technical authority in the UK that provides standards and guidance to organisations on cyber security. The ICO is responsible for providing guidance and enforcement of the data protection rules in the UK, including the obligation of organisations to apply security measures around personal data.Continue Reading Boosting digital resilience – The UK Information Commissioner and NCSC CEO sign Memorandum of Understanding
On August 18, 2023, the Fourth Circuit decertified approximately 20 million putative class action claims arising out of a 2018 data breach involving Marriott Hotels. See here. The Fourth Circuit reversed the district court’s certification and required it to consider in the first instance whether all of the putative plaintiffs waived their claims by signing class action waivers when they registered to be part of the Starwood Preferred Guest Program (“SPG”). The SPG waiver specifically stated that “Any disputes arising out of or related to the SPG Program or the SPG Program Terms will be handled individually without any class action ….”Continue Reading Fourth Circuit Decision Highlights Class Action Waivers for Data Breaches are Alive and Well
On 9 August 2023, the Information Commissioner’s Office (ICO) and the Competition and Markets Authority (CMA) published a joint position paper on Harmful Design in Digital Markets (Harmful Designs Paper) that urges businesses to stop using harmful website designs that exploit customers by encouraging them to provide more personal data than necessary. The regulators are calling for businesses to embrace fair and transparent practices, providing users with increased control over their data, and warning that failure to comply could lead to formal enforcement actions.
The Concerning Landscape: Tricky Design Practices
The position paper centres on the way information regarding choice and consent is presented to customers, known as “Online Choice Architecture” (OCA). The ICO and CMA have raised red flags website design practices that compromise user privacy and manipulate their choices. Some examples of harmful designs include:
- Harmful Nudges and Sludge: Subtle manipulations that steer users away from privacy-friendly choices. For example, prioritizing one option to be significantly quicker than a time-consuming alternative. The ICO emphasizes that this may infringe upon the “fairness” and “transparency” principles of the GDPR, potentially rendering the collected consent legally non-compliant.
- Confirmshaming: Design elements that pressure users into specific choices, such as requesting customer details and consent for marketing in exchange for a discount. The ICO notes that consent obtained through this method might not be considered truly “freely given”. A specific example of this, as recently highlighted by an IOC representative, is failing to include a “reject all” button on cookie consent banners (see here for our blog on this).
- Biased Framing: Presenting choices in a manner that steers users toward certain outcomes, heavily favoring one option while downplaying risks. This approach prevents users from making informed decisions.
- Bundled Consent: Forcing users to accept multiple services simultaneously, such as cookies, marketing, and account settings, with the provision that individual consents can be adjusted later in account settings.
- Default Settings: Designing interfaces that prioritize certain choices as default, influencing user decisions and making it unclear how to choose different options.
Meeting Regulators Expectations
In the Harmful Designs Paper, the ICO and CMA suggest that the primary focus for website design is a user-centred approach that empowers individuals to make well-informed choices and feel in control. Before launching any website, companies are advised to rigorously test and refine their designs and to adhere to the fundamental principles of data protection, consumer rights, and fair competition.
Looking Ahead: Education and Enforcement
As part of their mission, the CMA will expand its Rip Off Tip Off campaign that encourages consumers to report deceitful online sales tactics. This educational initiative aims to raise awareness among users and encourage them to report misleading practices. Simultaneously, the ICO will continue to enforce data protection rights, particularly for vulnerable individuals at risk of harm. With the CMA and ICO focussed on website design and fairness to consumers, it is likely that there will be increased enforcement. The ICO and CMA expect that the position paper will drive businesses to revaluate their website practices to make sure they are compliant with the current laws.
If companies are unsure about whether their website contains harmful designs that don’t respect the fundamental principles of data protection, consumer rights or fair competition, it’s time to think about carrying out an assessment of website design and its operation.
The Summer 2023 Edition of the quarterly IT & Data Protection Newsletter by Reed Smith Germany has just been released:Continue Reading Get your Update on IT & Data Protection Law in our Germany Newsletter (Summer 2023 Edition)