A sneaky entry into the June data wrap given that it was actually announced on Monday 10 July, but the European Commission (the "Commission") has now adopted its adequacy decision for the EU-US Data Privacy Framework (the "Framework"). The decision means that personal data can now freely flow to organisations participating in the Framework without the need for transfer impact assessments or standard contractual clauses.
In its press release, Commission explained that the Framework introduces new binding safeguards to address concerns raised by the European Court of Justice ("CJEU") in the Schrems II case which invalidated the previous US adequacy decision (the EU-US Privacy Shield). However, Max Schrems and his non-profit organisation NOYB have already publicly stated that they have prepared the paperwork to help challenge the new regime and bring it before the CJEU for a third time. Their view is that the new Framework is largely a copy of the previous EU-US Privacy Shield and that it fails to address the fundamental issues raised in the Schrems II case.
However, the process involved for legal challenges such as NOYB's potential case is rarely quick and, many organisations struggling with compliance in the aftermath of the Schrems II ruling will be relieved that an alternative mechanism is available to rely on for US data transfers in the meantime. Of note, the adequacy decision has a built-in review mechanism with the first review by the Commission due to take place in one year.
It is expected that there will be a transition period for organisations who remained registered under the Privacy Shield, and new applicants will need to go through a different process during which US organisations will apply to participate in the Framework. The Framework will be administered by the US Department of Commerce, which will process applications for certification and monitor whether participating companies continue to meet the certification requirements. The US Federal Trade Commission will be responsible for enforcing US companies ' compliance with their obligations under the EU-US Data Privacy Framework.
A more detailed review of the Framework will follow on HSF Data Notes.
Following UK Prime Minister Rishi Sunak's visit to the US to launch the 'Atlantic Declaration' which is intended to create an economic partnership between the two nations, the UK Secretary of State for Science, Innovation and Technology and their US counterpart announced that they have committed in principle to establish a data bridge between the UK and the US ("Data Bridge"). The Data Bridge would act as a UK extension to the EU-US Data Privacy Framework and facilitate data flows between the two countries, speeding up an established relationship of transfers which are currently burdened with costly contract clauses for US participants. By relieving some of the red-tape duties placed upon American organisations, the Government hopes to speed up processes and reduce costs for UK entities engaging in business with US firms.
It is expected that, following the adoption of the EU's adequacy decision in the form of the EU-UK Data Privacy Framework, the UK position will gather pace.
The European Council and European Parliament have reached an agreement on the proposed Data Act for fair access to and use of non-personal data. According to the Council's press release, the proposed regulation will allow users of connected devices, ranging from smart home appliances to smart industrial machinery, to gain access to data generated by their use which is currently harvested exclusively by manufacturers and service providers. It will also provide the means for public sector bodies to access and use data held by the private sector that is necessary in exceptional circumstances, particularly in cases of public emergency. Finally, the agreement clarifies the interplay between the Data Act and other legislation, such as the GDPR.
The text will now undergo legal-linguistic review with an unofficial version expected mid-July and the final version formally adopted in September according to Global Data Review. Once adopted, the Data Act will enter into force on the 20th day following its publication in the EU's Official Journal and will apply after a 20-month grace period, which is expected to end at some point in 2025.
A more detailed review of the Data Act will follow on HSF Data Notes.
On 14 June 2023, the European Parliament adopted its negotiating position on the EU AI Act.
The proposed rules follow a risk-based approach and establish obligations for developers and those deploying AI systems depending on the level of risk the AI can generate. AI systems with an unacceptable level of risk to people's safety would be prohibited. The European Parliament expanded the list to include bans on intrusive and discriminatory uses of AI, such as untargeted scraping of facial images from the internet to create facial recognition databases.
Providers of foundation models would have to assess and mitigate possible risks (to health, safety, fundamental rights, the environment, democracy and rule of law) and register their models in the EU database before their release into the EU market. Generative AI systems based on such models, like ChatGPT, would have to comply with transparency requirements (disclosing that the content was AI-generated, also helping distinguish so-called deep-fake images from real ones) and ensure safeguards against generating illegal content.
Trialogue negotiations with the European Council have now started and we expect key areas for debate to initially include the definitions of both AI and high-risk use cases, as well as discussion around conformity assessments. For more information about the proposed EU AI Act, see our Techquake article here and a more detailed review of the path to finalising the EU AI Act will follow on HSF Data Notes
The EDPB have published their finalised guidance on the calculation of GDPR fines (the "Guidance") following an earlier public consultation.
The Guidance sets out a 5-step methodology, taking into account: (i) the instance (or instances) of sanctionable conduct; (ii) the starting point for the calculation of the fine; (iii) any aggravating or mitigating factors; (iv) the relevant legal maximums for fines as set out in the GDPR; and (v) satisfaction of the requirements of effectiveness, dissuasiveness and proportionality.
The Guidance also sets out considerations relating to the overall turnover of the undertaking when looking to impose an effective, dissuasive and proportionate fine. Supervisory authorities are expected to tailor the amounts within the range available in the guidance up until the legal maximum. For example, for undertakings with an annual turnover of €50 million up until €100 million, supervisory authorities may consider to proceed calculations on the basis of a sum between 8% and 20% of the identified starting amount. As a general rule, the higher the turnover of the undertaking within its applicable tier, the higher the starting amount is likely to be.
On 19 June 2023, the ICO published new guidance (the "Guidance") on privacy-enhancing technologies ("PETs") which has been drafted to help organisations better understand how to use the technology. In particular, the Guidance covers how PETs can be used to help organisations comply with data protection requirements, including the data minimisation principle and 'data protection by design and default'.
The Guidance is aimed at two types of reader, with the first section addressing points of interest for individuals that oversee data protection in large companies, including data protection officers, and the second section catering to a more technical readership, including those managing large personal data sets in finance, healthcare and government.
The following types of PETs, their functionality and associated risks are examined in detail from a technical perspective: (i) Differential privacy; (ii) Synthetic data; (iii) Homomorphic encryption; (iv) Zero-knowledge proofs; (v) Trusted execution environments; (vi) Secure multiparty computation; (vii) Private set intersection; and (viii) Federated learning.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.