Photo of Angelika Bialowas

On 14 July 2022, the UK Information Commissioner’s Office (“ICO”) has launched a public consultation on its draft strategic three year plan, titled “ICO25”. The plan sets out a commitment to safeguard the information rights of the most vulnerable individuals with the aim of empowering people to confidently share their information to use today’s market products and services, with work particularly targeting:

  • children’s privacy;
  • AI-driven discrimination;
  • the use of algorithms within the benefits system; and
  • the impact of predatory marketing calls.


Continue Reading ICO25: ICO sets out its three year strategic plan

In Q1 2022, the UK’s Information Commissioner’s Office (ICO) issued 26 enforcement actions. There were 15 monetary penalties issued, ranging between £2k – £200k, and 11 enforcement notices. The majority of the fines and enforcement notices related to unsolicited marketing activities, two related to data subject rights infringements, and one related to a failure to ensure adequate security around personal data. The last related to a ransomware attack and despite the controller being subjected to a malicious cybercrime, it was penalised for a failure to address known vulnerabilities and to prevent the ransomware attack in time.

Continue Reading ICO enforcement actions in Q1 2022

On 7 February 2022, the UK Information Commissioner’s Office (ICO) announced that it had launched a consultation on Chapter 3 of its draft guidance on anonymisation, pseudonymisation, and privacy enhancing technologies (PET).
Continue Reading ICO launches consultation on Chapter 3 of updated guidance on anonymisation, pseudonymisation and PET

On 13 October 2021, the European Data Protection Board (EDPB) adopted the final version of its Guidelines (10/20) on restrictions of data subject rights under article 23 of the General Data Protection Regulation ((EU) 2016/679) (GDPR) (the Guidelines) during its forty-third plenary session. The adoption comes after a public consultation on the EDPB’s draft guidelines,

AI is a hot topic, particularly in the area of patent law and inventorship.

On Tuesday 21 September 2021, the UK Court of Appeal ruled that artificial intelligence (AI) cannot be listed as an inventor on a patent application (Thaler v Comptroller General of Patents Trade Marks and Designs [2021] EWCA Civ 1374).

Background

The present case related to two patent applications submitted to the UK Intellectual Property Office (IPO) by Dr Stephen Thaler. Both applications listed the inventor as ‘DABUS’, an AI machine built for the purpose of inventing, which had successfully come up with two patentable inventions. The UK IPO had refused to process either application (considering them withdrawn) as they failed to comply with the requirement to list an inventor and Dr Thaler was not entitled to apply for the patents. According to the Patents Act 1977, an inventor must be a ‘person’.

At the Court of First Instance, Mr. Justice Marcus Smith had upheld the IPO’s decision.

Continue Reading UK Court of Appeal rules AI is not an inventor

During its 51st plenary session on 7th July 2021, the European Data Protection Board (EDPB) adopted guidelines on codes of conduct as tools for transfers (CoC Guidelines). The CoC Guidelines are available here.

The CoC Guidelines support and complement the previous EDPB Guidelines on CoCs published in 2019 (2019 Guidelines) that established the general framework for the adoption of CoCs. We have previously written about the 2019 Guidelines here.

Purpose of the CoC Guidelines

The main purpose of the CoC Guidelines is to clarify the application of Articles 40(3) and 46(2)(e) of the General Data Protection Regulation (GDPR) relating to codes of conduct as appropriate safeguards for transfers of personal data to third countries. These provisions specify that a code of conduct, which has been (1) approved by a competent supervisory authority and (2) has been granted general validity within the EEA by the EU Commission, may be used and adhered to by controllers and processors not subject to the GDPR to provide appropriate safeguards to affect transfers of data outside of the EU.

The CoC Guidelines should further act as a clear reference for all EU supervisory authorities, the EDPB and assist the EU Commission in evaluating codes in a consistent manner and streamline the procedures involved in the assessment process. They should also provide greater transparency, ensuring that code owners who intend to seek approval for a code of conduct intended to be used as a tool for transfers are aware of the process and understand the formal requirements and the appropriate thresholds required for setting up such a code of conduct.
Continue Reading The European Data Protection Board adopts guidelines on codes of conduct as a tool for transfers

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted Joint Opinion 5/2021 on the proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Joint Opinion).

The Joint Opinion follows the European Commission’s (Commission) Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (AI) which was presented on the 21st April 2021 (Proposed Regulation). The Proposed Regulation laid out (i) harmonised rules for the placing on the market, the putting into service and the use of AI systems in the EU; (ii) prohibitions of certain AI practices; (iii) specific requirements for high-risk AI systems and obligations for operators of such systems; (iv) harmonised transparency rules for AI systems; and (v) rules on market monitoring and surveillance. We have previously summarised the obligations, scope and effect of the Proposed Regulation in our previous client alert, here.

The EDPB and the EDPS welcome the concern of the Commission in addressing the use of AI within Europe and stress that the Proposed Regulation has important data protection implications. Both authorities agree with the risk-based approach underpinning the Proposed Regulation and further welcome the fact that the Proposed Regulation designates the EDPS as the competent authority and the market surveillance authority for the supervision of the EU institutions. However, they note the role and tasks of the EDPS should be further clarified, specifically to its role as a market surveillance authority.

Continue Reading EDPB and EDPS adopt joint opinion on the data protection implications raised from the proposed Artificial Intelligence Act

On the 22nd of June 2021, the Department of Health and Social Care (DHSC) published its draft strategy ‘Data saves lives’ on the use of data within the health and social care sector, available here. In the draft strategy, the DHSC set out its plans to use data to improve the health and care

The European Commission is considering amending the existing rules for the financial sector regarding digital operational resilience, with a view to unifying and strengthening the legal framework in this area.

The proposed change to legislation would amend the existing Network and Information Security (NIS) Directive and create a new regulation on digital operational resilience, known

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) announced their joint opinions on the draft standard contractual clauses (SCCs) previously published by the European Commission in November 2020. The opinions cover the SCCs between controllers and processors and the SCCs for the transfer of personal data to third countries.  We have previously commented on both sets of drafts here and here.

Controller to processor SCCs

In their joint opinion, both the EDPB and the EDPS, welcomed the controller to processor SCCs as a single, strong, and EU-wide accountability tool, which will facilitate compliance with the General Data Protection Regulation (GDPR) and provide much needed legal certainty to controllers and processors. However, the EDPB and EDPS noted that more clarity should be provided as to when the controller to processor SCCs can be relied upon. Further amendments were also noted as needed, for example the docking clause, which allows additional entities to accede to the controller to processor SCCs. It was also noted that the SCCs Annexes should be amended to clarify the roles and responsibilities of each of the parties as much as possible with regard to each processing activity. The EDPB and EDPS consider these additional amendments as necessary to ensure harmonisation and legal certainty across the EU when it comes to contracts between controllers and their processors.
Continue Reading The EDPB and EDPS adopt joint opinions on the new draft SCCs