EU/UK Privacy & Cybersecurity News Roundup – Week of February 20, 2023

Data privacy case law and legislation is constantly updated in the United Kingdom and European Union to address key issues. In order to track the latest developments, we have set out a brief overview of case law updates, legislation, guidance and news.

  1. Case Law Updates
    1. Politico reports that the European Data Protection Board will deliver its binding decision regarding the lawfulness of Meta’s EU-U.S. data transfers by 14 April. The EDPB’s ruling concerns Meta’s reliance on standard contractual clauses to facilitate EU-U.S. transfers under the now invalidated EU-U.S. Privacy Shield. Meta previously stated a ruling against its transfer practices would force it to cease operations in the EU.
    2. In Wilson v Mendelsohn and others [2023] EWHC 231 (KB), the High Court refused to strike out claims for misuse of private information and libel against the first and third defendant. Please see a summary here.
  2. Legislation
    1. The European Parliament announced, on 9 February 2023, its adoption of the draft Regulation on Harmonised Rules on Fair Access to and Use of Data (‘the Draft Data Act’). In particular, the Parliament specified that the Committee strengthened some of the Draft Data Act’s provisions to protect trade secrets and avoid a situation where increased access to data is used by competitors to retro-engineer services or devices, and also set stricter conditions on business-to-government data requests. Please see the press release here.
  3. Guidance & Draft Guidance
    1. The Dutch data protection authority issued, on 13 February 2023, an opinion concluding that the provision of vaccination data to researchers is lawful under the GDPR and the legal framework for Statistics Netherlands. Please see the press release here and the opinion here, both only available in Dutch.
    2. The Danish data protection authority issued, on 14 February 2022, a press release in which it clarified rules regarding the deletion of personal data at the end of research projects. Please see the press release, only available in Danish, here.
    3. The UK Information Commissioner’s Office has published a series of recommendations to games developers which sets out how online services, likely to be accessed by children, should protect them in the digital world. Please see the press release here and recommendations here.
    4. The ICO sent a joint letter, along with the National Cyber Security Centre (‘NCSC’), to the Law Society to remind the Society’s members to refrain from advising clients to pay ransomware demands should they fall victim to cyberattacks. The ICO stated that both itself and the NCSC have been told that some firms are paying ransoms with the mistaken expectation that this is the right thing to do and may gain benefit from it by way of reduced enforcement, and that they do not need to engage with the ICO as a regulator. Please see the press release here.
  4. Data Protection Authority Updates
    1. The ICO imposed a fine of £200,000 against It’s OK Limited, for violation of Regulation 21 PECR.
    2. The Spanish data protection authority imposed a fine of €70,000 (subsequently reduced to €56,000) on Vodafone España, S.A.U., for violations of Article 6(1) GDPR. Please see the decision, only available in Spanish, here.
  5.    Privacy News
    1. The European Data Protection Board (‘EDPB’) published, on 13 February 2023, its 75th plenary meeting agenda. Please see the agenda here.
    2. The Civil Liberties, Justice and Home Affairs (‘LIBE’) Committee of the European Parliament released, on 14 February 2023, a draft motion for the resolution on the adequacy of the protection afforded by the EU-US Data Privacy Framework (‘the Draft Motion’), concluding that the EU-US Data Privacy Framework fails to provide equivalent protection. Please see the Draft Motion here.
    3. The Digital Advertising Alliance and fellow privacy self-regulatory groups announced a joint approach to privacy controls and user consent management for websites and mobile apps. Please see the press release here.
    4. The Wall Street Journal reports that data protection authorities in France, Spain and the Netherlands are opening units dedicated to AI oversight and enforcement.
    5. Reuters reports that a group of insurers, leasing companies, vehicle repair shops and others are calling for regulation in the EU on fair access to connected vehicle data.
    6. The U.K. Office of the Biometrics and Surveillance Camera Commissioner raised concerns over the use of Chinese surveillance cameras used by law enforcement and defence agencies.