Privacy & Data Protection

On 17 October 2023, the First-Tier Tribunal of the General Regulatory Chamber – Information Rights (the Tribunal) handed down its decision in Clearview AI Inc v The Information Commissioner [2023] UKFTT 819, overturning the £7.5 million fine levied on Clearview AI Inc. (Clearview) by the ICO last year.Continue Reading Clearview AI Inc., successfully appeals £7.5 million fine from the ICO but the ICO is fighting back!

The Court of Justice of the European Union (“CJEU”) issued a judgment on the 9th of February 2023 (docket no. C-453/21), which addresses the question of the dismissal of a Data Protection Officer (“DPO”) and the interpretation of Article 38 of the EU GDPR.Continue Reading CJEU rules on DPO conflicts of interest under the GDPR

The UK Network and Information Systems (NIS) Regulations 2018 will be strengthened in an effort to protect essential and digital services. On 30th November 2022, the UK government published its response to the public consultation on proposals to improve the UK’s cyber resilience. As the UK is no longer bound by EU legislation, it will not be implementing the NIS 2 Directive, recently adopted by European Parliament and Council. However, the frequency and scale of cyber incidents and consequent increased risk of severe damage has prompted change to UK cyber laws as well. Continue Reading UK expands scope of NIS Regulations

On 18 July 2022, the United Kingdom (UK) government set out its new proposals for regulating the use of artificial intelligence (AI) technologies while promoting innovation, boosting public trust, and protecting data. The proposals reflect a less centralised and more risk-based approach than in the EU’s draft AI Act.

The proposals coincide with the introduction to Parliament of the Data Protection and Digital Information Bill, which includes measures to use AI responsibly while reducing compliance burdens on businesses to boost the economy. Continue Reading UK government announces its proposals for regulating AI

Background

On 1 August 2022, the Court of Justice of the European Union (“CJEU”) issued a decision (“Decision”) clarifying how the indirect disclosure of sexual orientation data is protected as special category data under Article 9 of the EU General Data Protection Regulation (“GDPR”). “Special Category Data” is defined within Article 9(1) of the GDPR and includes (for example) a data subject’s racial or ethnic origin or data concerning a natural person’s sex life or sexual orientation. The processing of such sensitive personal data is expressly prohibited, unless the processing is exempted from the prohibition in the sense of Article 9(2) GDPR.Continue Reading CJEU rules on interpretation of EU GDPR special categories of data

On 4 May 2022, the Department for Digital, Culture, Media and Sport (DCMS) launched a consultation (available here) to request views from the tech industry on potential interventions to enhance security and privacy requirements for firms running app stores and developers making apps.Continue Reading Department for Digital, Culture, Media and Sport launches consultation on app security

Following a consultation in January 2021, the European Data Protection Board (EDPB) has published its finalised guidelines on examples of personal data breaches and whether they are notifiable. These guidelines supplement previous guidance on personal data breach notification: the Opinion on Personal Data Breach Notification (Opinion 03/2014) and the general Guidelines on Personal Data Breach Notification under the GDPR (WP 250), both issued by the EDPB’s predecessor, the Article 29 Working Party.

The new guidelines offer welcome clarification on when notifications are required given that some data protection authorities and commentators have acknowledged over-reporting.

In this article we recap on the key takeaways from the finalised guidelines, focussing on key changes made since the January 2021 consultation, and exploring the challenges of managing data breach notifications in multiple jurisdictions.Continue Reading New guidelines on personal data breach notifications

The Information Commissioner’s Office (ICO) and the Alan Turing Institute have recently released an interim report (Report) outlining their approach to best practices in explaining artificial intelligence (AI) to users. The Report is of particular relevance to operators of AI systems who may be considering their duties under the General Data Protection Regulation 2016/679 (GDPR).