EDPB concerns over EU-US Data Privacy Framework
On 28 February 2023, the European Data Protection Board (EDPB) adopted its opinion on the draft adequacy decision regarding the EU-US Data Privacy Framework (DPF). The board welcomed the improvements in the draft decision over the EU/US Privacy Shield, which was invalidated by the CJEU in Schrems II, but expressed concerns over some elements of the DPF.
While the EDPB acknowledged significant improvements had been made with respect to government access to personal data, it raised concerns that relate to cornerstone elements of the General Data Protection Regulation (GDPR), including data subject rights and the availability of an appropriate redress mechanism.
It remains to be seen whether the next stage of the legislative process – an opinion from a committee of Member State representatives – will raise similar concerns.
ICO approves fourth UK GDPR Certification Scheme
This month, the Information Commissioner's Office (ICO) approved a certification scheme criteria for training and qualification service providers, which follows three other schemes previously approved by the ICO.
The certification schemes are intended to help organisations demonstrate their compliance with data protection laws and are part of the ICO's 2025 strategy to provide services, tools and initiatives to help reduce the burden of compliance for organisations.
UK government reignites data protection reform
Following much anticipation, the new Department for Science, Innovation and Technology has introduced the Data Protection and Digital Information (No.2) Bill. It is the second version of the bill and proposes wholesale changes to the UK's privacy framework.
Read our in-depth Insight on the bill.
ICO publishes updated AI and data protection guidance
On 15 March 2023, the ICO updated its guidance on artificial intelligence (AI) and data protection in response to feedback from UK industry to clarify the requirements of fairness in this context. The updates are also part of the ICO's 2025 strategy to support innovation while safeguarding data privacy.
The updates includes new chapters on ensuring transparency, fairness and lawfulness in AI, and a new section on what organisations should assess in a data privacy impact assessment when using AI to process personal data.
The ICO anticipates making further updates to the guidance to reflect AI's continued development and also the upcoming UK government white paper on AI Regulation.
EU Parliament gives green light to draft Data Act
Earlier this month, a substantial majority of the EU Parliament voted in favour of the draft Data Act, which is intended to establish common rules governing the sharing of data generated by the used of connected products.
The EU Parliament will now enter negotiations with the Council of the European Union to agree a final version of the draft Data Act.
For a deeper dive in to the key concepts of the draft Data Act, please see our previous Insight.
ICO agrees to reduce Easylife fine
The ICO has, following an appeal from Easylife, agreed to reduce the £1.35m fine which it had issued to Easylife in October 2022 for its breach of data protection laws. The fine has been reduced to £250,000.
The fine related to Easylife's use of customer personal data to predict an individual's medical condition and target them with specific health-related products.
The ICO has not explained the basis for the significant reduction, other than to state that it had considered the amount of the penalty again during the course of the litigation, in light of the issues raised by Easylife. Given this explanation, it appears that the ICO decided to take a pragmatic approach on the basis that the risks, and costs, of litigating the appeal were too great See our Insight for more.
EDPB adopts guidelines on dark patterns
Please see Consumer law.