Photo of Angelika Christoforou

2022 was another busy year in privacy and data protection. We have seen major new developments at both the EU and the UK level, in terms of new legislation taking effect, changes to the data transfer regime, analytics cookies coming under regulatory spotlight from various EU data protection authorities, and substantial fines issued for breaches of data protection law.

Regulations surrounding privacy and data continue to develop at a rapid pace. Emerging technologies have changed the manner in which personal data is collected and used. These technologies and developments present new challenges for companies and consumers alike. As a result, 2023 could be an exciting and a busy year for privacy and data.

We asked some of our Tech & Data team members in the field to get their opinions on what is likely to happen in privacy and data in 2023:Continue Reading EU and UK privacy and data predictions for 2023

On 26 September 2022, the UK Information Commissioner’s Office (“ICO”) issued a blog post addressing compliance with data subject access requests (“DSARs”).

A DSAR is a written request by an individual to an organisation asking for access to the personal information it holds on them. This is a legal right everyone in the UK has and can be exercised at any time for free (in most circumstances).Continue Reading ICO issues guidance on responding to subject access requests

On 14 July 2022, the UK Information Commissioner’s Office (“ICO”) has launched a public consultation on its draft strategic three year plan, titled “ICO25”. The plan sets out a commitment to safeguard the information rights of the most vulnerable individuals with the aim of empowering people to confidently share their information to use today’s market products and services, with work particularly targeting:

  • children’s privacy;
  • AI-driven discrimination;
  • the use of algorithms within the benefits system; and
  • the impact of predatory marketing calls.

Continue Reading ICO25: ICO sets out its three year strategic plan

In Q1 2022, the UK’s Information Commissioner’s Office (ICO) issued 26 enforcement actions. There were 15 monetary penalties issued, ranging between £2k – £200k, and 11 enforcement notices. The majority of the fines and enforcement notices related to unsolicited marketing activities, two related to data subject rights infringements, and one related to a failure to ensure adequate security around personal data. The last related to a ransomware attack and despite the controller being subjected to a malicious cybercrime, it was penalised for a failure to address known vulnerabilities and to prevent the ransomware attack in time.Continue Reading ICO enforcement actions in Q1 2022

On 7 February 2022, the UK Information Commissioner’s Office (ICO) announced that it had launched a consultation on Chapter 3 of its draft guidance on anonymisation, pseudonymisation, and privacy enhancing technologies (PET).
Continue Reading ICO launches consultation on Chapter 3 of updated guidance on anonymisation, pseudonymisation and PET

On 13 October 2021, the European Data Protection Board (EDPB) adopted the final version of its Guidelines (10/20) on restrictions of data subject rights under article 23 of the General Data Protection Regulation ((EU) 2016/679) (GDPR) (the Guidelines) during its forty-third plenary session. The adoption comes after a public consultation on the EDPB’s draft guidelines,

AI is a hot topic, particularly in the area of patent law and inventorship.

On Tuesday 21 September 2021, the UK Court of Appeal ruled that artificial intelligence (AI) cannot be listed as an inventor on a patent application (Thaler v Comptroller General of Patents Trade Marks and Designs [2021] EWCA Civ 1374).

Background

The present case related to two patent applications submitted to the UK Intellectual Property Office (IPO) by Dr Stephen Thaler. Both applications listed the inventor as ‘DABUS’, an AI machine built for the purpose of inventing, which had successfully come up with two patentable inventions. The UK IPO had refused to process either application (considering them withdrawn) as they failed to comply with the requirement to list an inventor and Dr Thaler was not entitled to apply for the patents. According to the Patents Act 1977, an inventor must be a ‘person’.

At the Court of First Instance, Mr. Justice Marcus Smith had upheld the IPO’s decision.Continue Reading UK Court of Appeal rules AI is not an inventor

During its 51st plenary session on 7th July 2021, the European Data Protection Board (EDPB) adopted guidelines on codes of conduct as tools for transfers (CoC Guidelines). The CoC Guidelines are available here.

The CoC Guidelines support and complement the previous EDPB Guidelines on CoCs published in 2019 (2019 Guidelines) that established the general framework for the adoption of CoCs. We have previously written about the 2019 Guidelines here.

Purpose of the CoC Guidelines

The main purpose of the CoC Guidelines is to clarify the application of Articles 40(3) and 46(2)(e) of the General Data Protection Regulation (GDPR) relating to codes of conduct as appropriate safeguards for transfers of personal data to third countries. These provisions specify that a code of conduct, which has been (1) approved by a competent supervisory authority and (2) has been granted general validity within the EEA by the EU Commission, may be used and adhered to by controllers and processors not subject to the GDPR to provide appropriate safeguards to affect transfers of data outside of the EU.

The CoC Guidelines should further act as a clear reference for all EU supervisory authorities, the EDPB and assist the EU Commission in evaluating codes in a consistent manner and streamline the procedures involved in the assessment process. They should also provide greater transparency, ensuring that code owners who intend to seek approval for a code of conduct intended to be used as a tool for transfers are aware of the process and understand the formal requirements and the appropriate thresholds required for setting up such a code of conduct.
Continue Reading The European Data Protection Board adopts guidelines on codes of conduct as a tool for transfers

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted Joint Opinion 5/2021 on the proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (Joint Opinion).

The Joint Opinion follows the European Commission’s (Commission) Proposal for a Regulation of the European Parliament and of the Council laying down harmonised rules on artificial intelligence (AI) which was presented on the 21st April 2021 (Proposed Regulation). The Proposed Regulation laid out (i) harmonised rules for the placing on the market, the putting into service and the use of AI systems in the EU; (ii) prohibitions of certain AI practices; (iii) specific requirements for high-risk AI systems and obligations for operators of such systems; (iv) harmonised transparency rules for AI systems; and (v) rules on market monitoring and surveillance. We have previously summarised the obligations, scope and effect of the Proposed Regulation in our previous client alert, here.

The EDPB and the EDPS welcome the concern of the Commission in addressing the use of AI within Europe and stress that the Proposed Regulation has important data protection implications. Both authorities agree with the risk-based approach underpinning the Proposed Regulation and further welcome the fact that the Proposed Regulation designates the EDPS as the competent authority and the market surveillance authority for the supervision of the EU institutions. However, they note the role and tasks of the EDPS should be further clarified, specifically to its role as a market surveillance authority.Continue Reading EDPB and EDPS adopt joint opinion on the data protection implications raised from the proposed Artificial Intelligence Act

On the 22nd of June 2021, the Department of Health and Social Care (DHSC) published its draft strategy ‘Data saves lives’ on the use of data within the health and social care sector, available here. In the draft strategy, the DHSC set out its plans to use data to improve the health and care