If you’ve ever thought ‘we’ll slightly delay the newsletter so we can cover this new bit of news, then we’ll close it off’, don’t do that… the torrent never stops!
Here’s our summary of massively impactful Privacy developments in October and early November, as always through the lens of practical impact at your organisation.
We’ve a technical decision on jurisdiction allowing Clearview to evade UK GDPR, clarity on Vehicle Identification Numbers, another iteration of DPDI (we’re calling it DPDI23), our thoughts on SRIs and DPOs, a ton of AI-related news (some less practical right now), the OSB becoming the OSA and so much more.
Let’s start with the EDPB’s resounding confirmation of the ban on behavioural advertising by Meta – but is it a blanket ban? – and Meta’s move to ‘pay or data’.
On 27 October, the EDPB issued an ‘urgent binding decision’ to ban Meta’s use of behavioural advertising based on necessity for contract or legitimate interests, effective across the entire EEA. Either remarkable, a long time coming, or both depending on your view.
Three things to note.
The EU’s Digital Markets Act is now in force and will impact Meta (and others). While you should review if the DMA covers your organisation, if you’ve less than €7.5bn revenue from the EU, market cap of €75bn, or at least 45 million monthly active end users, this next part likely won’t trouble you.
In it’s list of ‘DMA dos and don’ts’ the EU states that ‘gatekeepers will for example no longer … track end users outside of the gatekeepers’ core platform service for the purpose of targeted advertising, without effective consent having been granted’.
See the DMA on this:
Fines under the DMA are even bigger than GDPRs: up to 10% of the company’s total worldwide annual turnover, or up to 20% in the event of repeated infringements.
While the DMA can call for consent, GDPR trumps DMA when it comes to personal data and Art 2 of DMA defines ‘consent’ as consent under GDPR.
Meta tried contract. It tried legitimate interest. So now it’s moving to consent in a ‘pay or data’ move where you can either consent to behavioural advertising or payaround €10 per month to have it without.
This has triggered a tidal wave of comment and, happily, some have highlighted that it’s not just GDPR at play here. Yes, the question of valid consent is raised but this triggers other laws too, such as those on unfair contract terms, consumer protection competition.
From the data protection side:
So expect some findings to be coming from the consistency mechanism on this in the next few months, alongside other DPA and regulators from competition and related fields across Europe.
We’re lucky to have a breakdown of the First-tier Tribunal’s (‘FTT’) decision overturning ClearView’s fine from 11 Kings Bench Walk, who represented both sides.
We think the FTT was wrong, and we’re not alone, in that Clearview are clearly (in our view) processing for themselves in a way that falls within GDPR.
But we’re not fancy lawyers. 11 KBW are though, and their review ends:
‘It is a nice [meaning precise, intricate] question whether the processing by Clearview – an act of service provision undertaken for commercial activities – should be treated as being undertaken “in the course of an activity which falls outside the scope of Union law”, even if that processing by the client is undoubtedly undertaken in the course of such an activity, and even if the processing is the same processing. And if that is the case as regards ‘Activity 2’ processing, the question might be thought even more acute in the context of ‘Activity 1’ processing, where the client has no role at all.’
So watch this space. We’ll see if the ICO is going to put taxpayers’ money into an appeal.
In the CJEU’s decision in Scania, we’ve one superfluous finding and two interesting findings.
The superfluous finding is that VINs are personal data if they are linked to an individual, and not if they’re not, for example where a company owns the car and no individual appears on the registration certificate.
The first interesting finding is confirmation that the EU law requiring manufacturers to make VINs (and more information on cars) available to repair garages etc is indeed a legal obligation to share personal data (where a VIN qualifies as personal data) for GDPR’s Art 6.
The CJEU quickly ran through the test that the law setting out the legal obligation must:
We recommend looking at paras 53 to 62 of the decision, which provide a clean example to follow if you have to do that determination yourself.
The second interesting finding is about when data qualifies as personal data, and it’s interesting because the UK GDPR reform bill (DPDI) is back in Parliament (see below).
In other words: the VIN is personal data for the garages if they can identify an individual from it, and it’s personal data for the manufacturers even if they can’t do so, because the people they’re going to give it to (the garages) can.
That makes total sense under current law.
This may be ‘cold towel around the head’ stuff, but it gets more so when you see that the UK’s bill to reform UK GDPR, the DPDI, was mentioned in the King’s Speech and is moving towards the statute books…
On 7 November, King Charles gave the King’s Speech, setting out the government’s agenda and the explanatory note lists the DPDI Bill on pages 28 to 30. It’s the third iteration, but it’s in 2023 so we’re calling it DPDI23.
We’ve updated our crosswalk of UK GDPR, now against DPDI23, and you can download that from our website. Here’s the RoPA side-by-side:
And here’s how the RoPA exemption has travelled:
UK DPOs are a bit nervous about disappearing from the law and SRIs coming in, however we believe this will be a much bigger burden on UK business and a bonanza for current DPOs and providers such as Keepabl.
You can see more in our SRI breakdown, for now we’ll just highlight that the SRI’s tasks are much heavier than the DPO’s:
Belgium’s DPA, the APD, has issued a cookie checklist which doesn’t contain any shockers but does continue the push for a Reject All button at the same level as an Accept All button:
It’s unsurprising as it’s inline with the EDPB Cookie Banner Taskforce report which said that the ‘vast majority’ of DPAs considered not having the ability to reject at the same level as accept was an infringement, but it’s nuanced:
‘[A] Few authorities considered that they cannot retain an infringement in this case as article 5(3) of the ePrivacy Directive does not explicitly mentioned a “reject option” to the deposit of cookies.’
We reported on California’s Age Appropriate Design Code being declared unconstitutional in our last newsletter. Which we’ll take as a ‘down’.
As a significant ‘up’, California has passed the Delete Act.
The Delete Act introduces over the next couple of years a register of data brokers and a centralised system for erasure requests with a 45 day compliance deadline.
The first legal challenge to the EU-US DPF failed on 12 October 2023 as the claimant, a French MEP, had not shown the urgency or particular harm to himself, so the court did not need to look at the other parts of the test for issuing an injunction preventing the DPF taking effect. H/T Norman Aasma.
Now we hear that NOYB is near to launching its challenge, which will likely be more threatening.
If you’ve a coffee break, do read this blog from Bates Wells on the changes to the meaning of ‘fundamental rights and freedoms’ after Brexit and the impact of the EU Retained Law Bill.
Then notice that the EDPS just posted a piece on respecting the essence of fundamental rights – coincidence? Maybe, but it shows that we fiddle with human rights underlying data protection at our peril.
Recent shennanigans in the Tory party / UK government mean the threat to our membership of the ECHR regime may have abated for now, but the threat isn’t over.
The UK Online Safety Bill became the Online Safety Act on 26 October. The regulator is Ofcom.
Now, this law is a behemoth and, to prove it, on 9 November Ofcom released some 1,500 pages of draft guidance:
Feeling overwhelmed? You’re in good company. Decoded’s Neil Brown’s blog is a good read and will make you feel you’re not alone.
The consultation is open until 23 February 2024 so do get involved.
OK. AI. There is so much to say. We’ll say a bit about 3 practical developments and then give you the links and leave you to it – we’ve already kept you long enough this month!
On 6 October, the UK ICO issued Snap with a ‘preliminary enforcement notice over potential failure to properly assess the privacy risks posed by its generative AI chatbot ‘My AI’ … Investigation provisionally finds Snap failed to adequately identify and assess the risks to several million ‘My AI’ users in the UK including children aged 13 to 17.’
The chatbot was ‘powered by OpenAI’s GPT technology’.
Oliver Patel is always a good follow on AI and his post gives you an inroad to Google and Microsoft’s recent rollout of IP indemnities for certain claims from use of their AI products.
But is IP enough?
So, while the IP indemnity is very nice – and inline with decades of IP indemnities in such contracts though do read the limits of the indemnity carefully – in our view it’s the tip of the iceberg.
The EO dictates how federal government will buy and use AI and so it will impact all private sector suppliers to the US government. That will extend its scope considerably.
It was cheekily timed considering the UK’s Bletchley Park event and announcement but it’s clearly been a while in the making and builds on all the work we’ve reported on in previous newsletters.
Here’s where we leave you with the links – enjoy!
Need to upgrade (or even establish) your RoPA into something that’s easy to create and maintain? Need automated Breach and Rights management?
Do contact us to see for yourself, book your demo now!
TL;DR A recent survey highlights the ethical dilemmas that arise from being an in-house lawyer. Robert Baugh, our lawyer-founder, believes these same dilemmas are being felt, and will continue to…