The UK has a new Government and in their manifesto there is a desire for economic growth.  The manifesto itself did not focus on data protection regulation or AI, but they did talk of establishing a ‘National Wealth Fund’ to boost investment, capitalised with £7.3bn over the course of the next parliament (meaning roughly 4 years) including:

1.     £1.5bn to new gigafactories,
2.     £1bn for carbon capture,
3.     £500 million for green hydrogen.

They also promised to create a new National Infrastructure and Service Transformation Authority, and proclaimed support for technology to enable open banking and finance but it was not clear what that means for businesses in practice, or data regulation. Very promising was their commitment to the ‘ambition’ of full gigabit and national 5G coverage by 2030, but we do not know the detail.  They want to see adoption of AI, but the only concrete suggestion in the manifesto was linked to making it easier to get planning permission for data centres.  The new Government also proposes to create a new Regulatory Innovation Office to help regulators update regulation and coordinate wider issues. The attitude to Regulation and how that is seen as a force for good by the Government might be a developing theme.

However, since the election we have had the kings Speech on behalf of the new Government setting out their planned new laws and this gives us a clearer idea of where things are heading in regards to data and AI, with two new laws proposed (one of which is a resurrection of the last Government’s plans):

Digital Information and Smart Data Bill [from the Department for Science, Innovation and Technology]

The Government states that this Bill will enable innovative uses of data to be safely developed and deployed.  It aims to improve people’s lives by making public services work better by reforming data sharing standards; and it is claimed it will help scientists and researchers make more discoveries by improving data laws; and ensuring data is protected by giving the regulator (the ICO) new, stronger powers and a more modern structure.

Cyber Security and Resilience Bill [from the Department for Science, Innovation and Technology]

The Bill will update the existing UK regulations regarding cyber security. The Bill will update the regulatory framework to better protect digital services by expanding the remit of the regulations, put regulators on a stronger footing to ensure cyber safety measures are being implemented, and mandating increased incident reporting to give government better data on cyber attacks.

Bulgarian Warning on Political Use of Data

To take part in elections for the Bulgarian National Assembly, a political party registered for participation on the basis of an application that included a list with the full names, unique civil numbers and handwritten signatures of several thousands citizens, suggesting that those data subjects supported the registration of the party.  However, not all did support that purpose.  The Bulgarian Data Authority (CPDP) considered if the party was unlawfully processing personal data, and found that the data subjects did not sign up in support of the registration, or give consent for the processing of their personal data.  The CPDP therefore found that the controller lacked a legal basis under GDPR Article 6(1) for the processing and infringed the accountability principle of Article 5(2).

Italian Municipality forgot to do an Impact Assessment

An Italian municipality developed a mobile application for people to send notifications to the Local Police about crime/safety issues in particular areas.  The expectation was that the Police could then use video surveillance to monitor the area. This would result in personal data being collected.  The data authority was concerned that the way the app worked could mean personal data was gathered without a clear lawful basis and could result in the collection of ‘non-necessary data’ or data falling under Articles 9 or 10 GDPR.  The data authority found violations of Articles 5(2) and 25 GDPR, as the controller did not, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate measures to ensure that the GDPR was complied with.

Criteo SA, a technology company provides software services relating to digital marketing, media advertising and real time ads. The controller placed tracking cookies for targeted advertising on computers and mobile devices of users visiting certain third party websites. The controller used the Real Time Bidding (RTB) System to recognise a user within seconds and to show personalised ads.  The Dutch authority raised concerns regarding the placing of tracking cookies on data subject’s devices without consent, pointing out this violates Article 11.7a(1) Dutch telecommunications law (“Telecommunicatiewet – TW”) and Articles 5(1)(a), 6(1), 7, 13 and 14 GDPR.  After a finding that the use of cookies was not permitted, there was a fine.  On appeal the Court of Amsterdam (“Gerechtshof Amsterdam”) found that tracking cookies were placed by the controller and that the data subject’s personal data was processed in violation of the GDPR, and they upheld the fine.

A further action was brought this year, and it determined that the unlawful processing had continued.  Paying the past fine did not absolve hem of ongoing violation, and so the court determined to impose a penalty per day whilst the controller continues to place tracking cookies. Although the controller had taken steps to address the violation by providing written warnings and ending contracts with websites that did not comply, they had failed to meet their full compliance obligations.  The court therefore imposed an additional penalty of €500 per day (with a maximum of €50.000) against the controller until it complies with the prohibition of placing tracking cookies on data subject devices.

If you have any questions on any of the information in this email, please contact James Tumbridge & Robert Peake