• 3 min read

Data Protection Quarterly News Roundup (January to March 2023)


In this, our first quarterly news roundup of 2023, we bring you our news highlights of the last three months which as usual have been full of data protection learnings.

1. Meta Platforms Inc.

Alongside the boom in the existence and use of artificial intelligence (with nearly everyone now having heard of Chat GPT even if they haven’t used it yet) the early part of 2023 saw Meta hit the data protection headlines having received multi-million pound fines: €210m for Facebook, €180m for Instagram and €5.5m for WhatsApp. Whilst we are likely to hear more in relation to these cases / fines there are for now some worthwhile take homes from these cases for all controller organisations:

  • The importance of transparency and ensuring data subjects are clearly made aware of your processing activities, purpose of processing and lawful bases to process personal data. 
  • If you wish to rely on contractual necessity for your processing operations you need to ensure the processing is truly necessary for the core elements of the contract and are not ancillary. 

2. Data Protection and Digital Information (No.2) Bill.

Data protection reform is back on the agenda with a revised reform Bill published at the beginning on March by the new Department for Science, Innovation and Technology. This Bill doesn’t depart hugely from the first reform Bill published in July last year and still amends the UK GDPR, the Data Protection Act and the Privacy and Electronic Communications Regulations (PECR) rather than forming new legislation entirely. Two key points to note in relation to the reforms:

  • There will be reduced requirements for ROPAs (records of processing activity). 
  • The Bill significantly increases the levels of possible fines for breaches under PECR which bring them in line with GDPR level fines (4% of global turnover or 17.5 million GBP, whichever is greater). In addition in relation to PECR, the Bill would reduce the amount of cookie consent pop-ups required on websites. 

It is understood that organisations that are already compliant with the UK GDPR and/or the EU GDPR will not be required to make any changes as a result of the Bill.

3. EU / US transfers.

Progress continues on the EU / US Data Privacy Framework (DPF) aka Privacy Shield 2.0. Whilst concerns have been raised about the new framework it has also been acknowledged that the DPF includes significant improvements when compared to the failed Privacy Shield. The DPF could be approved as early as April 2023. 

4. Personal offences under data protection law. 

In February we had a reminder that individuals, as well as organisations, can commit offences under the UK data protection law. In this case a former employee of the RAC was fined by the Information Commissioner’s Office (ICO) for stealing personal data of victims of road traffic incidents and passing it on to traffic incident claims management companies. The individual pleaded guilty to two counts of stealing data in breach of Section 170 of the Data Protection Act 2018 (unlawful obtaining etc of personal data) and was fined £5,000.

5. Cookies best practice.

In the EU a report was published by the EDPB (European Data Protection Board) outlining cookies best practice. Whilst this guidance isn’t binding in the UK it is useful and likely reflects what should be UK best practice too. The main takeaways:

  • Reject buttons should be on the first layer of the notice i.e you shouldn’t have to click through the initial notice to get to the reject button (which is a common requirement).
  • Accept buttons shouldn’t be pre-ticked or more predominant in terms, for example, of size and colour than reject buttons. 
  • Essential cookies (which do not require consent) must be correctly identified. 
  • There should be an easy way to withdraw consent after it is given. 

There is a need for clear information on the face of the cookie banner so visitors know what they are consenting to and have a genuine choice whether to consent (rarely will cookie walls, which stop a visitor from using a website unless they accept cookies, be lawful). 

6. Data subject access requests (DSARS).

News again from the EU where the Court of Justice of the European Union made a decision about DSARs which is interesting for UK organisations. The EU and UK GDPR provide a right for data subjects to get information from a controller on request about the recipients or categories of recipients to whom their data has been or will be disclosed. The question in this case was whether this meant that the controller had to disclose the specific identity of actual recipients of personal data or just describe the nature of the recipients. The decision found the former was necessary unless it is not possible to identify them. 

Our data protection team have many years of experience in advising organisations on their compliance with UK data protection law. To speak to one of the team you can get in touch here or call us on 0800 2800 421. 

If you have not received this article directly, but would like to receive articles and data protection news alerts from Trethowans, please email [email protected].

Answers are just a click away