- 30 Dec 2024
- •
- 4 min read
Data Protection Quarterly News Roundup (October to December 2024)
I cannot quite believe it is now 2025, which means it is time for our data protection review of the final quarter of 2024.
New audit framework from the ICO
In October the ICO launched a new audit framework designed to help organisations assess their own compliance with key requirements under data protection law. The ICO believes the new audit framework will empower organisations to improve their data protection practices.
The European Data Protection Board (EDPB) has published its opinion on AI models’ compliance with the EU GDPR
This EDPB opinion is important reading for anyone responsible for data protection compliance in organisations developing and/or deploying AI. The opinion focuses on three subjects being: whether an AI model is anonymous, what the legal basis is for processing in the context of AI and what the implications are for using an AI model where it has been developed using unlawfully processed personal data.
ICO publishes report on data protection in generative AI
The ICO has published its outcomes report on data protection in generative AI, explaining:
“We looked at five areas which resulted in us refining our position in two key areas: the lawful basis for web scraped data to train generative AI models and the engineering of individual rights into generative AI models. We found a serious lack of transparency, especially in relation to training data within the industry, which our consultation responses show is negatively impacting the public’s trust in AI”.
ICO publishes report on the use of AI tools in recruitment
In November the ICO published the results of its consensual audit engagements with developers and providers of AI tools used in recruitment together with a series of recommendations (nearly 300!) for developers and recruiters.
Open AI receive €15 million fine
Staying on the subject of AI, the Italian data protection authority has issued a €15 million fine to Open AI (relating to ChatGPT) citing the following key issues:
- Failure to identify a suitable lawful basis for using personal data in AI training
- Breach of the transparency principle
- Failure to notify data subjects of use of their data
Interestingly, in addition to the fine, Open AI has been ordered to carry out a six month messaging campaign on radio, printed press, TV and the internet regarding the rights of users whose data have been deployed for training.
EDPB opinion on controller accountability in sub-processing chains
This is a really interesting and important opinion of the EDPB in relation to sub-processing chains which we would urge you to read. Although this is only an opinion, and an EU one at that, its implications for controllers when using processors are huge. Spoiler alert – controllers are accountable and responsible all the way down the chain (yes, including in relation to sub-sub-sub-sub processors) including in relation to international transfers by sub-processors.
Changes at Google come to the attention of the ICO
Google has announced to organisations that use its advertising products that from 16 February 2025 it will permit fingerprinting techniques. The ICO is not very happy about this and has responded by publishing a statement setting out its position on this change, commenting “The ICO’s view is that fingerprinting is not a fair means of tracking users online because it is likely to reduce people’s choice and control over how their information is collected. The change to Google’s policy means that fingerprinting could now replace the functions of third-party cookies”.
Data subject compensation claims
Case law has been inconsistent in relation to when a data subject is entitled to claim compensation for non-material damages arising from breach of the EU GDPR but a recent case in the German Federal Court of Justice confirmed a more favourable position for data subjects (which approach could also be followed in the UK) being that:
- even a “mere and short-term loss of control” of personal data may give rise to compensable non-material damages; and
- a data subject is not required to provide evidence that there has been a “specific misuse” of data to the detriment of the data subject because of such loss of control.
The effects of data breaches
In October the ICO published a blog written by the Information Commissioner about the impact data breaches have on individuals and warned organisations: “you must do better”.
Fines in the UK
As usual there have been more fines for breaches of PECR this quarter but fines under the GDPR in the UK totalled just 2 in the whole of 2024.
Data protection reform
As we mentioned in our recent article, data protection reform is back on the table and progressing well. It seems likely that the reforms will pass into law by spring 2025.
EDPB guidelines on Technical Scope of Article 5(3) ePrivacy Directive
In October the EDPB published its guidelines on the Technical Scope of Article 5(3) ePrivacy Directive setting out what is covered by the ePrivacy Directive (in the UK, PECR) beyond cookies. The guidelines look at specific use cases and technologies including URL and pixel tracking, local processing, tracking based solely on IP addresses and intermittent and mediated IoT reporting.
If you have not received this article directly but would like to receive articles and data protection news alerts from Trethowans, please contact [email protected].
Disclaimer
This information is intended for general informational purposes only and does not constitute legal advice. We recommend seeking professional advice before taking any action on the information provided. If you would like to discuss your specific circumstances, please feel free to contact us on 0800 2800 421.