Privacy & Information Security Law Blog

On June 7, 2024, following a public consultation, the French Data Protection Authority published the final version of the guidelines addressing the development of AI systems from a data protection perspective.

On May 23, 2024, the European Data Protection Board adopted an Opinion on the use of facial recognition technologies by airport operators and airline companies to streamline the passenger flow at airports.

On April 17, 2024, the European Data Protection Board adopted its non-binding Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms, stating that such models generally are not compliant with the GDPR, though their use should be considered on a case-by-case basis.

On March 26, 2024, the French data protection authority (the “CNIL”) published the 2024 edition of its Practice Guide for the Security of Personal Data (the “Guide”). The Guide is intended to support organizations in their efforts to implement adequate security measures in compliance with their obligations under Article 32 of the EU General Data Protection Regulation. In particular, the Guide targets DPOs, CISOs, computer scientists and privacy lawyers.

On March 7, 2024, the Court of Justice of the European Union (“CJEU”) issued its judgment in the case of Endemol Shine (Case C‑740/22). In this case, the CJEU was called upon to assess whether oral disclosure of information could be considered as processing of personal data under the EU General Data Protection Regulation (“GDPR”) and to clarify the relationship between personal data protection and public access to documents.

On March 13, 2024, the European Parliament adopted the AI Act by a majority of 523 votes in favor, 46 votes against, and 49 abstentions. The AI Act will introduce comprehensive rules to govern the use of AI in the EU, making it the first major economic bloc to regulate this technology.

On March 7, 2024, the Court of Justice of the European Union (“CJEU”) issued its judgment in the case of IAB Europe (Case C‑604/22). In this judgment, the CJEU assessed the role of the Interactive Advertising Bureau Europe (“IAB Europe”) in the processing operations associated with its Transparency and Consent Framework (“TCF”) and further developed CJEU case law on the concept of personal data under the EU General Data Protection Regulation (“GDPR”).

On February 28, 2024, the European Data Protection Board (“EDPB”) announced the launch of its latest Coordinated Enforcement Framework action on the right of access. Through the course of 2024, 31 data protection authorities across the European Economic Area, including seven German state-level authorities, will take part in this initiative on the implementation of the right of access. The EDPB selected the right access for its third coordinated enforcement action as it is “at the heart of data protection,” is a right that is very frequently exercised by individuals, and one that is often the basis of complaints to authorities.

On February 20, 2024, The Centre for Information Policy Leadership at Hunton Andrews Kurth LLP  (“CIPL”) and Theodore Christakis, Professor of International, European and Digital Law at University Grenoble Alpes, released a comprehensive study titled The “Zero Risk” Fallacy: International Data Transfers, Foreign Governments’ Access to Data and the Need for a Risk-Based Approach. In the study, Prof. Christakis makes the case that the EU General Data Protection Regulation (“GDPR”), the Charter of Fundamental Rights of the European Union and EU law, more generally, allow a more nuanced and risk-based approach to data transfers than the restrictive approach often applied. CIPL and Prof. Christakis provide an approach that outlines data protection measures that are proportionate to the risks at hand, and takes into account the nature of the data, the likelihood of access by foreign governments, and the severity of the potential harm.

On January 24, 2024, the European Commission announced that it had published the Commission Decision establishing the European AI Office (the “Decision”). The AI Office will be established within the Commission as part of the administrative structure of the Directorate-General for Communication Networks, Content and Technology, and subject to its annual management plan. The AI Office is not intended to affect the powers and competences of national competent authorities, and bodies, offices and agencies of the EU in the supervision of AI systems, as provided for by the forthcoming AI Act. The Decision details the functions and tasks of the AI Office, such as:

On February 13, 2024, the European Data Protection Board (“EDPB”) adopted Opinion 04/2024 on the notion of the main establishment of a controller in the Union under Article 4(16)(a) of the EU General Data Protection Regulation (“GDPR”) (the “Opinion”).

On February 9, 2024, Hunton Andrews Kurth attorneys, David Dumont and Laura Léonard, and Centre for Information Policy Leadership Director of Privacy and Data Policy, Natascha Gerlach, published an op-ed discussing the implications of the European Commission’s proposal for a Regulation laying down additional procedural rules relating to the enforcement of Regulation (EU) 2016/679 (the “Draft GDPR Procedural Regulation”) and the draft report on the Draft GDPR Procedural Regulation by the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (the “Draft LIBE Report”).

On February 8, 2024, the French Data Protection Authority (the “CNIL”) announced the priority topics for its inspections in 2024.  

On January 22, 2024, a draft of the final text of the EU Artificial Intelligence Act (“AI Act”) was leaked to the public. The leaked text substantially diverges from the original proposal by the European Commission, which dates back to 2021. The AI Act includes elements from both the European Parliament’s and the Council’s proposals.

On January 18, 2024, the European Data Protection Board published a thematic one-stop-shop (“OSS”) case digest titled, “Security of Processing and Data Breach Notification” (the “Digest”). The Digest analyzes a selection of decisions adopted by EU data protection authorities on data security and data breaches. 

On January 15, 2024, the European Commission released its “report on the first review of the functioning of the Adequacy Decisions adopted pursuant to Article 25(6) of Directive 95/46/EC” (the “Report”). The Report details the results of the European Commission’s assessment of whether 11 jurisdictions (Andorra, Argentina, Canada, the Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay) that benefit from Adequacy Decisions adopted under the repealed Directive 95/46/EC still offer sufficient guarantees to maintain adequacy status under the EU General Data Protection Regulation (“GDPR”).

On January 8, 2024, the French Data Protection Authority (the “CNIL”) opened a consultation on its draft guidance for the use of transfer impact assessments (“Guidance”). In describing the Guidance, the CNIL references the decision of the Court of Justice of the European Union in Schrems II and states that exporters relying on tools listed in Article 46(2) and Article 46(3) of the EU General Data Protection Regulation (“GDPR”) for personal data transfers are required to assess the level of protection in the designated third country and the need to put in place additional safeguards (i.e., conduct a transfer impact assessment (“TIA”)). The Guidance is intended to assist data exporters in carrying out TIAs. 

On December 21, 2023, the Court of Justice of the European Union (“CJEU”) issued its judgment in the case of Krankenversicherung Nordrhein (C-667/21) in which it clarified, among other things, the rules for processing special categories of personal data (hereafter “sensitive personal data”) under Article 9 of the EU General Data Protection Regulation (“GDPR”) and the nature of the compensation owed for damages under Article 82 of the GDPR.

On December 14, 2023, the Court of Justice of the European Union (“CJEU”) issued its judgment in the case of VB v. Natsionalna agentsia za prihodite (C‑340/21), in which it clarified, among other things, the concept of non-material damage under Article 82 of the EU General Data Protection Regulation (“GDPR”) and the rules governing burden of proof under the GDPR.

On December 7, 2023, the Court of Justice of the European Union (“CJEU”) ruled that credit scoring constitutes automated decision-making, which is prohibited under Article 22 of the EU General Data Protection Regulation (“GDPR”) unless certain conditions are met. In a case stemming from consumer complaints against German credit bureau SCHUFA, the CJEU found that the company’s reliance on fully automated processes to calculate creditworthiness and extend credit constitutes automated decision-making which produces a legal or similarly significant effect within the meaning of Article 22 of the GDPR.

On December 8, 2023, the European Parliament and the Council reached a political agreement on the EU’s Regulation laying down harmonized rules on Artificial Intelligence (the “AI Act”).

The AI Act will introduce a risk-based legal framework for AI. Specifically, the AI Act will state that: (1) certain AI systems are prohibited as they present unacceptable risks (e.g., AI used for social scoring based on social behavior or personal characteristics, untargeted scraping of facial images from the Internet or CCTV footage to create facial recognition databases, etc.); (2) AI systems presenting a high-risk to the rights and freedoms of individuals will be subject to stringent rules, which may include data governance/management and transparency obligations, the requirement to conduct a conformity assessment procedure and the obligation to carry out a fundamental rights assessment; (3) limited-risk AI systems will be subject to light obligations (mainly transparency requirements); and (4) AI systems that are not considered prohibited, high-risk or limited-risk systems will not be under the scope of the AI Act.

On November 16, 2023, the European Data Protection Board (“EDPB”) published its Guidelines 2/2023 on the Technical Scope of Art. 5(3) of the ePrivacy Directive (the “Guidelines”).

On November 9, 2023, the European Parliament adopted, by a majority of 481 votes in favor, 31 votes against and 71 abstentions, the final text of the Data Act. As explained in our previous blog, the Data Act aims to “ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all” and was initially proposed by the European Commission on February 23, 2022.

On November 8, 2023, the UK Information Commissioner’s Office (“ICO”) and the European Data Protection Supervisor (“EDPS”) announced they have signed a Memorandum of Understanding (“MOU”) intended to reinforce their “common mission to uphold individuals’ data protection and privacy rights, and cooperate internationally to achieve this goal”. The MOU sets out broad principles of collaboration between the ICO and EDPS and the legal framework governing the sharing of relevant information and intelligence. The ICO and EDPS consider that, when addressing similar issues, reducing divergencies in their regulatory approaches will benefit public and private organizations, individuals, and other stakeholders in the UK and EU.  

On October 27, 2023, the European Data Protection Board (“EDPB”) adopted an urgent binding decision instructing the Irish Data Protection Commissioner (the “Irish DPC”) to take final measures against Meta Ireland Limited (“Meta”) within two weeks and impose a ban on Meta’s processing of personal data for behavioral advertising based on the contractual necessity and legitimate interests legal bases. The ban would apply across the European Economic Area (“EEA”).

On November 1, 2023, 29 nations, including the U.S., the UK, the EU and China (full list available here), reached a ground-breaking agreement, known as the Bletchley Declaration. The Declaration sets forth a shared understanding of the opportunities and risks posed by AI and the need for governments to work together to meet the most significant challenges posed by the technology. The Declaration states  that there is an urgent need to understand and collectively manage the potential risks posed by AI to ensure the technology is developed and deployed in a safe, responsible way. The Declaration was signed at the AI Safety Summit 2023, held at Bletchley Park in the UK.

October 12, 2023, the French Data Protection Authority (the “CNIL”) announced a €600,000 fine for mass media company Groupe Canal+ for failing to comply with its commercial prospecting obligations applicable under the French Post and Electronic Communications Code and several obligations of the EU General Data Protection Regulation (“GDPR”).

On October 30, 2023, the G7 leaders announced they had reached agreement on a set of International Guiding Principles on Artificial Intelligence (AI) and a voluntary Code of Conduct for AI developers, pursuant to the Hiroshima AI Process. The Hiroshima AI Process was established at the G7 Summit in May 2023 to promote guardrails for advanced AI systems at a global level.

On October 11, 2023, the French Data Protection Authority (the “CNIL”) published a new set of guidelines addressing the research and development of AI systems from a data protection perspective (the “Guidelines”).

On October 18, 2023, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth published an opinion piece in the leading European policy outlet, Euractiv, titled “The Time is Now: Why modernising transatlantic cooperation on cross-border law enforcement access to electronic evidence should be a priority.”

The piece argues that at a time of an increased threat of cybercrime, digital fraud, disinformation, and other illicit activities online, we need a holistic discussion between law enforcement, policymakers and privacy communities to balance societal interests and individual rights.

On October 17, 2023, The First-tier Tribunal of the UK General Regulatory Chamber allowed an appeal by Clearview AI Inc. (“Clearview”) against an enforcement notice and fine issued by the UK’s Information Commissioner’s Office (“ICO”).

On October 3, 2023, the UK Information Commissioner's Office ("ICO") published new Guidance on lawful monitoring in the workplace, designed to help employees comply with their obligations under the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 ("DPA").

On September 21, 2023, the UK Information Commissioner’s Office (“ICO”) published an opinion on the UK Government’s assessment of adequacy for the UK Extension to the EU-U.S. Data Privacy Framework (the “UK Extension”). The ICO provides that, while it is reasonable for the Secretary of State to conclude that the UK Extension provides an adequate level of data protection and lay regulations to that effect, there are four specific areas that could pose risks to UK data subjects if the protections identified are not properly applied. These four risks are: 

On September 21, 2023, UK Secretary of State for Science, Innovation and Technology Michelle Donelan laid regulations in the UK Parliament, giving effect to a UK-U.S. Data Bridge. The regulations are supported by several documents, including a fact sheet and an “explainer.”  The regulations are due to take effect on October 12, 2023. U.S. companies approved to join the “UK Extension to the EU-US Data Privacy Framework” will be able to receive UK personal data under the new Data Bridge.

On September 6, 2023, the European Commission designated six companies as gatekeepers under Article 3 of the Digital Markets Act (“DMA”). The new gatekeepers are Alphabet, Amazon, Apple, ByteDance, Meta and Microsoft. Jointly, these companies provide 22 core platform services, including social networks, internet browsers, operating systems and mobile app stores.

On August 24, 2023, 12 data protection authorities published a joint statement calling for the protection of personal data from unlawful data scraping. The statement was issued by the authorities of Argentina, Australia, Canada, Colombia, Hong Kong, Jersey, Mexico, Morocco, New Zealand, Norway, Switzerland and the UK. The joint statement reminds organizations that personal data that is publicly accessible is still subject to data protection and privacy laws in most jurisdictions, and highlights the risks facing such data, including increased risk of social engineering or phishing attacks, identify fraud, and unwanted direct marketing or spam.

On July 19, 2023, the European Data Protection Board (“EDPB”) issued an Information Note regarding data transfers to the U.S. following the adoption of an adequacy decision on the EU-U.S. Data Privacy Framework (the “Data Privacy Framework”) on July 10, 2023 (the “Information Note”).

On July 14, 2023, the Norwegian Data Protection Authority (“DPA”) ordered Meta Platforms Ireland Limited and Facebook Norway AS (jointly, “Meta”) to temporarily cease the processing of personal data of data subjects in Norway for the purpose of targeting ads on the basis of “observed behavior,” when relying on either the contractual necessity legal basis (Article 6(1)b)) or the legitimate interests legal basis (Article 6(1)(f)) of the GDPR.

On July 10, 2023, the European Commission formally adopted a new adequacy decision on the EU-U.S. Data Privacy Framework (the “Adequacy Decision”). The adoption of this Adequacy Decision follows years of intense negotiations between the EU and the U.S., after the invalidation of the EU-U.S. Privacy Shield by the Court of Justice of the European Union (“CJEU”) in the Schrems II case.

On July 4, 2023, the European Commission proposed a new Regulation for additional procedural rules relating to the enforcement of the GDPR (the “GDPR Enforcement Regulation”). With the GDPR Enforcement Regulation, the European Commission aims to make the handling of cross-border data protection cases more efficient by harmonizing certain administrative procedures and elaborating existing rules on cooperation between EU Supervisory Authorities.

On June 19, 2023, the UK Information Commissioner’s Office (“ICO”) recommended that organizations start using privacy enhancing technologies (“PETs”) to share personal information safely, securely and anonymously. The ICO also has issued new guidance on PETs which is aimed at those using large data sets in finance, healthcare, money laundering and cybercrime. The guidance contains information on how PETs can be used to help organizations with data protection compliance and technical detail on the different types of PETs currently available.

On June 30, 2023, the European Data Protection Board (“EDPB”) published Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR) (the “Recommendations”), which were adopted on June 20, 2023. Binding corporate rules (“BCRs”) are a mechanism for transferring personal data to third countries in accordance with Chapter V of the EU General Data Protection Regulation (“GDPR”), and must be approved by the relevant organization’s lead supervisory authority. BCRs create enforceable rights and set out commitments in order to create, for the personal data transferred under the BCRs, a level of protection essentially equivalent to that provided by the GDPR.

On July 3, 2023, U.S. Secretary of Commerce Gina Raimondo issued a statement confirming that the U.S. has fulfilled its commitments for implementing the EU-U.S. Data Privacy Framework (the “Framework”). In the statement, it was confirmed that the EU, Iceland, Liechtenstein and Norway, have been designated as “qualifying states” for purposes of implementing the redress mechanism established under Executive Order 14086, such designation to be become effective upon the adoption of an adequacy decision by the EU for the Framework. Further, according to the statement, the Office of the Director of National Intelligence has confirmed that the U.S. Intelligence Community has adopted its policies and procedures pursuant to Executive Order 14086.

On June 27, 2023, the Council and the European Parliament reached a Political Agreement (“Political Agreement”) on the Proposal for a Regulation on harmonized rules on fair access to and use of data (the “Data Act”). The Data Act aims to “ensure fairness in the digital environment, stimulate a competitive data market, open opportunities for data-driven innovation and make data more accessible for all” and was initially proposed by the European Commission on February 23, 2022.

On June 15, 2023, the UK Information Commissioner’s Office (“ICO”) called for businesses to address the privacy risks posed by generative artificial intelligence (“AI”) before “rushing to adopt the technology.” Stephen Almond, the ICO’s Executive Director of Regulatory Risk, said:  “Businesses are right to see the opportunity that generative AI offers . . . . But they must not be blind to the privacy risks.” An organization wishing to use AI should seek to understand at the outset how AI will use personal data, and mitigate any known risks. The ICO stated it is ...

On June 14, 2023, the European Parliament (“EP”) approved its negotiating mandate (the “EP’s Position”) regarding the EU’s Proposal for a Regulation laying down harmonized rules on Artificial Intelligence (the “AI Act”). The vote in the EP means that EU institutions may now begin trilogue negotiations (the Council approved its negotiating mandate on December 2022). The final version of the AI Act is expected before the end of 2023.

On June 7, 2023, the European Data Protection Board (“EDPB”) adopted the final version of its Guidelines on the calculation of administrative fines under the GDPR (the “Guidelines”). Through the Guidelines, the EDPB intends to harmonize the methodology used by supervisory authorities (“SA”) to calculate fines.

On May 25, 2023, the European Data Protection Board (“EDPB”) elected Anu Talus, head of the Finish data protection authority, as its new Chair, replacing Andrea Jelinek. The EDPB also elected Irene Loizidou Nikolaidou, head of the Cypriot data protection authority, as one of its Deputy Chairs, replacing Ventsislav Karadjov.

On May 23, 2023, the UK Information Commissioner, John Edwards, delivered the opening remarks at the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”). The Commissioner opened his speech by stating his “principal reason” for being present was to provide “reassurance” that he takes his “responsibility of protecting Europeans data in the United Kingdom very seriously” and “will continue to do so through the process of law reform, and beyond.” The Commissioner went on to discuss several points, including the following:

On May 22, 2023, the Irish Data Protection Commission (the “DPC”) announced a €1.2 billion fine against Meta Ireland for unlawfully transferring personal data to the U.S.

On May 17, 2023, the European Data Protection Board (EDPB) adopted the final version of its Guidelines on facial recognition technologies in the area of law enforcement (the “Guidelines”). The Guidelines address lawmakers at the EU and EU Member State level, and law enforcement authorities and their officers implementing and using facial recognition technology. 

On May 16, 2023, the French Data Protection Authority (the “CNIL”) announced its action plan on artificial intelligence (the “AI Action Plan”). The AI Action Plan builds on prior work of the CNIL in the field of AI and consists of a series of activities the CNIL will undertake to support the deployment of AI systems that respect the privacy of individuals.

On May 11, 2023, at a plenary session, the European Parliament voted to adopt a resolution on the adequacy of the protection afforded by the EU-U.S. Data Privacy Framework (the “Framework”) which calls on the European Commission (the “Commission”) to continue negotiations with its U.S. counterparts with the aim of creating a mechanism that would ensure equivalence and provide the adequate level of protection required by EU data protection law.  The text was adopted with 306 votes in favor, 27 against and 231 abstaining. This resolution follows the draft motion (summary available here) which was published in February 2023 and urged the Commission not to adopt adequacy based on the Framework.

On May 4, 2023, the Court of Justice of the European Union (“CJEU”) issued a judgment in the Österreichische Post case (C-300/21). In the decision, the CJEU clarified that a mere infringement of the EU General Data Protection Regulation (“GDPR”) is not sufficient to give data subjects the right to receive compensation under Article 82 of the GDPR. Article 82 provides that “any person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered.”

On April 26, 2023, the European Data Protection Board (“EDPB”) initiated the procedure for electing a new Chair and Deputy Chair to replace Andrea Jelinek and Ventsislav Karadjov, whose mandates will end on May 25, 2023.

On March 28, 2023, the French Data Protection Authority (the “CNIL” or “French DPA”) announced a €125,000 fine on the e-scooter rental company Cityscoot for breaching EU and French data protection rules, in particular in the context of geolocation and use of Google reCAPTCHA. The fine was imposed on March 16, 2023.

This is an excerpt from Centre for Information Policy Leadership (“CIPL”) President Bojana Bellamy’s recently published piece in the IAPP “Privacy Perspectives” blog, and are the views of the author.

On March 8, 2023, the UK Secretary of State for Science, Innovation and Technology, Michelle Donelan, introduced the Data Protection and Digital Information (No. 2) Bill to UK Parliament. The first version of the reform bill was originally proposed by the UK government in July 2022, but was put on pause during September 2022. 

On February 28, 2023, the European Data Protection Board (“EDPB”) issued its Opinion 5/2023 on the European Commission Draft Implementing Decision on the adequate protection of personal data under the EU-US Data Privacy Framework (the “Opinion”). In the Opinion, the EDPB recognized substantial improvements in the proposed EU-U.S. Data Privacy Framework (“DPF”) when compared to Privacy Shield, whilst also stating that a number of aspects of the DPF need to be clarified, developed or further detailed.

On February 24, 2023, following public consultation, the European Data Protection Board (EDPB) published the following three sets of adopted guidelines:

1. Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V GDPR (05/2021) (final version);
2. Guidelines on certification as a tool for transfers (07/2022) (final version); and
3. Guidelines on deceptive design patterns in social media platform interfaces (03/2022) (final version).

On February 14, 2023, in a Draft Motion for a Resolution on the adequacy of the protection afforded by the proposed EU-U.S. Data Privacy Framework (the “Framework”), the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (the “Committee”) urged the European Commission not to adopt adequacy based on the Framework, on the basis that it “fails to create actual equivalence” with the EU in the level of data protection that it provides.

On February 9, 2023, the Court of Justice of the European Union (“CJEU”) issued its judgment in the X-FAB Dresden case (C-453/21). In this decision, the CJEU clarified the criteria for assessing whether a conflict of interest exists between the Data Protection Officer (“DPO”) position, and other tasks or duties assigned to the DPO.

On January 18, 2023, the European Data Protection Board (“EDPB”) published its Report on the work undertaken by the Cookie Banner Taskforce (the “Report”).

On January 12, 2023, the French Data Protection Authority (the “CNIL”) announced a €5,000,000 fine for the social network TikTok for violations of applicable cookie rules. The fine was imposed at the end of 2022.

On January 4, 2023, the Irish Data Protection Commission (“DPC”) announced the conclusion of two inquiries into the data processing practices of Meta Platforms, Inc. (“Meta”) with respect to the company’s Instagram and Facebook platforms. As a result of the investigations, the DPC fined Meta a combined €390 million for breaches of the EU General Data Protection Regulation (“GDPR”) and, following consultation with the European Data Protection Board (“EDPB”), notably held that Meta can no longer rely on the GDPR’s “performance of a contract” legal basis for processing personal data in the behavioral advertising context, a decision that has broad implications for publishers engaged in behavioral advertising in the EU.

On January 10, 2023, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth  responded to a call for public comments from the European Data Protection Board (“EDPB”) regarding their Recommendations 1/2022 on the Application for Approval and on the elements and principles to be found in Controller Binding Corporate Rules (Art. 47 GDPR) (“Recommendations 1/2022”). The Recommendations 1/2022 are intended to bring existing Controller Binding Corporate Rules (“BCR-C”) in line with the GDPR and the Schrems II ruling.

On January 16, 2023, the Directive on measures for a high common level of cybersecurity across the Union (the “NIS2 Directive”) and the Directive on the resilience of critical entities (“CER Directive”) entered into force. The NIS2 Directive repeals the current NIS Directive and creates a more extensive and harmonized set of rules on cybersecurity for organizations carrying out their activities within the European Union. The CER Directive repeals the European Critical Infrastructure Directive and brings with it new, stronger rules for the cyber and physical resilience of critical entities and networks.

On January 11, 2023, the Belgian Data Protection Authority (“Belgian DPA”) announced that it has approved the Interactive Advertising Bureau Europe’s (“IAB Europe”) action plan with respect to its Transparency and Consent Framework (“TCF”).

On December 29, 2022, the French Data Protection Authority (the “CNIL”) announced that it imposed an €8,000,000 fine on Apple for violations of the French rules on targeted advertising and the use of cookies and similar tracking technologies.

On December 20, 2022, the English High Court has granted the victim of a cyber attack a permanent injunction against cyber attackers whilst the victim organization maintains its anonymity. Generally, a claimant's identity is public in English court proceedings. Injunctions can be made against unknown and unidentifiable defendants enabling them to be granted against individuals who are acting in breach or threatening to commit a breach. 

On December 9, 2022, Hunton Andrews Kurth LLP London senior consultant attorney Rosemary Jay received the 2022 PICCASO Privacy Award for Achievement in recognition of her longstanding contributions to the data privacy industry.

On December 13, 2022, the European Commission launched the process for the adoption of an adequacy decision for the EU-U.S. Data Privacy Framework. If adopted, the long-awaited adequacy decision will provide EU companies transferring personal data to the U.S. with an additional mechanism to legitimize their transfers.

An adequacy decision would foster trans-Atlantic data flows and address the concerns raised by the Court of Justice of the European Union (“CJEU”) judgment in the Schrems II case.

On December 12, 2022, at the “POLITICO Live” event presented in cooperation with Hunton Andrews Kurth LLP’s Centre for Information Policy Leadership ("CIPL")—titled “EU-U.S. Data Flows: Game Changer or More Legal Uncertainty?”—featured speakers from both sides of the Atlantic optimistic that the new EU-U.S. Data Privacy Framework will withstand an anticipated legal challenge.

On November 25, 2022, Ireland’s Data Protection Commission (“DPC”) released a decision fining Meta Platforms, Inc. (“Meta”) €265 million for a 2019 data leak involving the personal information of approximately 533 million Facebook users worldwide.

The UK Information Commissioner’s Office (“ICO”) recently published a package of detailed guidance and checklists for direct marketing activities. The ICO’s new webpage on direct marketing now includes various resources, including specific guidance for SMEs, business-to-business marketing, and organizations using the marketing services of data brokers, as well as direct marketing FAQs and checklists, and a training module for businesses.

On November 22, 2022, the Court of Justice of the European Union (“CJEU”) determined in a preliminary ruling that the general public’s access to information on beneficial ownership constitutes a serious interference with the fundamental rights to respect for private life and to the protection of personal data, enshrined in Articles 7 and 8 of the Charter of Fundamental Human Rights (the “Charter”).

On November 15, 2022, the Italian Supreme Court held that an Italian court or competent data protection authority has jurisdiction to issue a global delisting order. A delisting order requires a search engine to remove certain search results about individuals if the data subject’s privacy interests prevail over the general right to expression and information, and the economic interest of the search engine. The case was brought by an Italian individual, who requested a worldwide delisting order, concerning all versions of the search engine, due to potential damage to the applicant's professional interests outside of the European Union.

On November 30, 2022, the UK government confirmed that the Network and Information Systems (“NIS”) Regulations 2018 (“NIS Regulations”) will be strengthened to protect essential and digital services against cyber attacks. The changes bring providers of outsourced IT and managed service providers (“MSPs”) into scope of the NIS Regulations. The announcement comes in response to a public consultation held in January this year.

On November 23, 2022, the UK government’s Department for Digital, Culture, Media & Sport (“DCMS”) announced that it had completed its assessment of South Korea’s personal data legislation, and concluded that sufficiently strong privacy laws are in place to protect UK personal data transferred to South Korea while upholding the rights and protections of UK citizens.

On November 17, 2022, the UK data protection regulator, the Information Commissioner’s Office (“ICO”), published updated guidance on international transfers that includes a new section on transfer risk assessments (“TRAs”) and a TRA tool.

In its statement regarding the updated guidance, the ICO describes the TRA guidance as “an alternative approach to the one put forward by the European Data Protection Board” and says its aim is “to find an alternative, achievable approach delivering the right protection for the people the data is about, whilst ensuring that the assessment is reasonable and proportionate.”

On November 1, 2022, the Digital Markets Act (the “DMA”) entered into force. The DMA introduces new rules for certain core platforms services acting as “gatekeepers” in the digital sector (including search engines, social networks, online advertising services, cloud computing, video-sharing services, messaging services, operating systems and online intermediation services). The DMA also aims to prevent such platforms from imposing unfair conditions on businesses and consumers, and to ensure the openness of important digital services.

On  November 2, 2022, the ICO issued to the UK Department for Education (“DfE”) a formal reprimand following an investigation into the sharing of personal data stored on the Learning Records Service (“LRS”), a database which provides a record of pupils’ qualifications that the DfE has overall responsibility for. The investigation found that the DfE’s poor due diligence meant the LRS database was being used by Trust Systems Software UK Ltd (trading as Trustopia), a third party screening firm, to check whether people opening online gambling accounts were 18. Trustopia was found to have had access from September 2018 to January 2020, during which it performed over 20,000 searches on children whose personal data was in the LRS database.

On October 18, 2022, the European Commission published a report, titled Information Frictions and Public Policies: Approaching the Regulation and Supervision of Decentralized Finance (“DeFi”) (the “Report”). The Report discusses the need to adapt existing policy frameworks to account for the change brought about by DeFi to the underlying information structure upon which financial services are provided. Unlike traditional finance, DeFi applications provide financial services based on blockchain technology, i.e., without requiring any intermediary agent and instead relying on automated protocols that are encoded in public digital contracts universally accessible and maintained by an open pool of pseudonymous miners.

On September 23, 2022, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted a response to the UK Department for Digital, Culture, Media & Sport (“DCMS”) on its Consultation on establishing a pro-innovation approach to regulating AI (the “Response”).

On October 24, 2022, the UK Information Commissioner’s Office (“ICO”) issued a £4.4 million fine to Interserve Group Limited for failing to keep employee personal data secure, which violates Article 5(1)(f) and Article 32 of the EU General Data Protection Regulation (“GDPR”), during the period of March 2019 to December 2020. The ICO determined that such violations rendered Interserve vulnerable to the cyber attack which took place between March 2020 and May 2020, affecting the personal data of up to 113,000 Interserve employees. The compromised data included contact details, national insurance numbers and bank account details, as well as special category data, including ethnic origin, religion, details of any disabilities, sexual orientation and health information.

On October 17, 2022, the French Data Protection Authority (the “CNIL”) imposed a €20 million fine on Clearview AI for unlawful use of facial recognition technology. The fine was imposed after the CNIL’s prior formal notice remained unaddressed by Clearview AI.

On October 12, 2022, the UK Information Commissioner's Office (“ICO”) launched a public consultation on its draft guidance on employers’ obligations when monitoring at work (“Draft Guidance”). In addition, the ICO has published an impact scoping document, which outlines some of the context and potential impacts of the Draft Guidance (“Impact Scoping Document”).

On October 7, 2022, President Biden signed Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, which provides a new framework for legal data transfers between the European Union and the United States. The legal basis for transatlantic data transfers has been uncertain since 2020, when the European Court of Justice (“ECJ”) declared the previous framework, the EU-U.S. Privacy Shield, invalid under EU law. 

On October 3, 2022, the U.S. Department of Justice (“DOJ”) announced that the agreement between the U.S. Government and the UK Government on Access to Electronic Data for the Purpose of Countering Serious Crime (the “CLOUD Act Agreement”) entered into force, effective the same day. The CLOUD Act Agreement, which is authorized by the U.S. Clarifying Lawful Overseas Use of Data (“CLOUD”) Act, is the first of its kind and will allow each country’s investigators to gain access to data held by service providers in the other country, for the purpose of combating serious crime. According to DOJ, this “will greatly enhance the ability of the United States and the United Kingdom to prevent, detect, investigate and prosecute serious crime, including terrorism, transnational organized crime, and child exploitation, among others.”

Background

On September 15, 2022, the European Commission presented its proposal for a Regulation on horizontal cybersecurity requirements for products with digital elements (the “Cyber Resilience Act”). According to the European Commission, the Cyber Resilience Act will be the first EU-wide legislation introducing “cybersecurity requirements for products with digital elements, throughout their whole lifecycle.”

On September 21, 2022, Denmark’s data protection authority Datatilsynet (“Danish DPA”) announced its guidance that Google Analytics, Google’s audience measurement tool, is not compliant with the EU General Data Protection Regulation (“GDPR”), as the tool transfers personal data to the United States which, following Schrems II, does not offer an adequate level of data protection.

On September 5, 2022, the Irish Data Protection Commissioner (the “DPC”) imposed a €405,000,000 fine on Instagram (a Meta-owned social media platform) for violations of the EU General Data Protection Regulation’s (“GDPR’s”) rules on the processing of children’s personal data.

On August 5, 2022, French AdTech company Criteo announced that it had received a report from the French Data Protection Authority (“CNIL”) on August 3, 2022, claiming various infringements of the EU General Data Protection Regulation (“GDPR”) and proposing to impose a €60,000,000 fine against Criteo. The proposed fine follows complaints filed by privacy NGO ‘Privacy International’ against Criteo.

On July 7, 2022, the Irish Data Protection Commission (the “DPC”) sent a draft decision to other EU data protection authorities, proposing to block Meta’s transfers of personal data from the EU to the United States.

On June 23, 2022, Italy’s data protection authority (the “Garante”) determined that a website’s use of the audience measurement tool Google Analytics is not compliant with the EU General Data Protection Regulation (“GDPR”), as the tool transfers personal data to the United States, which does not offer an adequate level of data protection. In making this determination, the Garante joins other EU data protection authorities, including the French and Austrian regulators, that also have found use of the tool to be unlawful.

On May 12, 2022, the European Data Protection Board (“EDPB”) adopted Guidelines 04/2022 on the calculation of administrative fines under the EU General Data Protection Regulation (“GDPR”) (the “Guidelines”). The Guidelines are intended  to harmonize the methodology supervisory authorities (“SAs”) use when calculating the amount of a GDPR fine and provide illustrative examples to help organizations understand the calculation method.

On May 11, 2022, the French Data Protection Authority (the “CNIL”) published its Annual Activity Report for 2021 (the “Report”). The Report provides an overview of the CNIL’s enforcement activities in 2021. The report notably shows a significant increase in the CNIL’s activity.

On May 10, 2022, as part of the Queen’s Speech, the UK government announced its intention to introduce a Data Reform Bill (the “Bill”). The UK government’s background and briefing notes to the Queen’s Speech state that the purpose of the Bill is to “take advantage of the benefits of Brexit to create a world class data rights regime…that reduces burdens on businesses, boosts the economy, helps scientists to innovate and improves the lives of people in the UK.”

On April 23, 2022, the European Commission announced that the European Parliament and EU Member States had reached consensus on the Digital Services Act (“DSA”), which establishes accountability standards for online platforms regarding illegal and harmful content.

On February 28, 2022, the Emirate of Dubai enacted Law No. 4 of 2022 on the Regulation of Virtual Assets (“VAL”) and established the Dubai Virtual Assets Regulatory Authority (“VARA”). By establishing a legal framework for businesses related to virtual assets, including crypto assets and non-fungible tokens (NFTs), this landmark law reflects Dubai’s vision to become one of the leading jurisdictions for entrepreneurs and investors of blockchain technology.