Organisations should expect increased scrutiny and enforcement activity around the role of data protection officers in the coming year.

By Gail E. Crawford, Fiona M. Maclean, Ben Leigh, and Amy Smyth

The European Data Protection Board (EDPB) has announced that its coordinated enforcement action for 2023 will focus on the designation and position of data protection officers (DPOs). Each year, the EDPB’s Coordinated Enforcement Framework (CEF) designates a topic EU data protection authorities (DPAs) should focus on. Although participation for any given year is voluntary, the EDPB has stated that this CEF will involve 26 DPAs across the European Economic Area, including the European Data Protection Supervisor.

The proposal provides a uniform basis for secondary research and clarifies uncertainty over implementation and interpretation of the GDPR but also raises many questions.

By Oliver Mobasser and Gail Crawford

On 3 May 2022, the European Commission launched its proposal for a Regulation for the European Health Data Space to “unleash the full potential of health data”. However, questions arise as to whether this proposal is a welcome facilitator of innovation or another burden for research-focussed businesses.

Among other goals

The Advocate General opined that data subjects must prove that they suffered damage from a GDPR breach in order to claim compensation.

By Tim Wybitul, Isabelle Brams, Lara Nonninger, and Hayley Pizzey

Article 82 of the General Data Protection Regulation (GDPR) states that any person who has suffered material or non-material damage as a result of a GDPR infringement has the right to receive compensation. The meaning of non-material damage, in particular, has been debated for some time. Some European courts have been generous in assessing non-material damages to claimants. A number of German courts, for example, have found that loss of control of personal data can amount to damage.[1] A series of cases before the Court of Justice of the European Union (CJEU) also question, among other things, whether damage — or proof of damage — is required at all under Article 82 GDPR.[2]

The bill would largely build on the UK data protection regime’s EU GDPR-style framework, albeit with UK-specific provisions.

By James Lloyd, Fiona M. Maclean, Calum Docherty, Irina Vasile, Alex Ford-Cox, and Amy Smyth

The UK government introduced the Data Protection and Digital Information Bill (the Bill) to Parliament on 18 July 2022, following the publication of its response to the consultation “Data: a new direction” (the Consultation). (For more information on the Consultation, see this Latham blog post.)

The Bill details the government’s proposals for reforming the current UK data protection regime (consisting primarily of the UK Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR)).

This article presents an overview of the proposed changes. In part 2, we provide a deeper dive into certain key provisions.

In summary, the proposed changes — while broad in scope — do not amount to a wholesale change in direction for UK data protection laws. Assuming the Bill is passed without amendment, the UK regime would largely build on the current EU GDPR-style framework, albeit with UK-specific provisions. The changes can be grouped into two categories: (1) a more risk-based / outcome-focused approach and (2) developments in key areas around accountability, data subject rights, security, and legal grounds for processing.

Areas of interest include anonymisation, “recognised legitimate interests”, and the ICO’s role.

By James Lloyd, Fiona M. Maclean, Calum Docherty, Irina Vasile, Alex Ford-Cox, and Amy Smyth

The UK Data Protection and Digital Information Bill (the Bill) sets out the government’s proposals for reforming the current UK data protection regime (consisting primarily of the UK Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR)). While broad in scope, the proposals do not amount to a wholesale change in direction for UK data protection laws. Assuming the Bill is passed without amendment, the UK regime would largely build on the current EU GDPR-style framework, albeit with UK-specific provisions. The changes can be grouped into two categories: (1) a more risk-based / outcome-focused approach and (2) developments in key areas around accountability, data subject rights, security, and legal grounds for processing.

This article provides a deep dive into certain key provisions of the Bill. In part 1, we provide an overview of the proposed changes.

The Advocate General argues that organisations should provide individuals with information on the specific recipients of their personal data.

By Tim Wybitul, James Lloyd, Isabelle Brams, Irina Vasile, and Amy Smyth

Advocate General Giovanni Pitruzzella (AG) of the Court of Justice of the European Union (CJEU) recently delivered an opinion (the Opinion) regarding the interpretation of an individual’s right of access to their data under Article 15 GDPR (often known as a data subject access request, or DSAR/SAR). Specifically, the Opinion addresses an individual’s right to access information about “the recipients or categories of recipient to whom the personal data have been or will be disclosed […]”, pursuant to Article 15(1)(c) GDPR. The AG delivered the Opinion in the context of Case C-154/21 (the Case), which is currently pending before the CJEU.

The EDPB sets out relevant steps and factors that EU supervisory authorities should consider when calculating administrative fines under the GDPR.

By Gail Crawford, Ian Felstead, James Lloyd, Tim Wybitul, Irina Vasile, Sami Qureshi, and Amy Smyth

On 16 May 2022, the European Data Protection Board (EDPB) adopted draft Guidelines 04/2022 on the calculation of administrative fines under the GDPR (Draft Guidelines).[1] The Draft Guidelines are currently subject to public consultation and comments may be submitted until 27 June 2022 (at the latest). The EDPB’s aim is to create a harmonised methodology for the calculation of GDPR fines. All EU supervisory authorities (SAs) must use the same starting points, on the basis of which administrative fines can be subsequently calculated and further tailored for individual cases. The EDPB clearly emphasizes that the Draft Guidelines are not drafted to enable controllers/processors to precisely calculate the expected fine; this determination will rather depend on all the individual circumstances of the case. SAs will need to ensure that fines are effective, proportionate, and dissuasive, taking into account the particularities of each case. While the EDPB acknowledges that SAs retain discretion to account for these particularities, they are clearly expected to follow the methodology set out in the Draft Guidelines.

The CJEU’s decision is likely to have significant implications for ongoing and future proceedings for damages claims under Art. 82 GDPR.

By Tim Wybitul, Christoph Baus, Stefan Patzer, and Isabelle Brams

On April 15, 2021, the Austrian Supreme Court (OGH) referred key questions regarding non-material damages for data protection infringements under Art. 82 GDPR to the European Court of Justice (CJEU) for a preliminary ruling under Art. 267 TFEU. So far, a number of claims for non-material damages based on violations of the GDPR have been dismissed by the courts in Austria and Germany because the plaintiffs did not allege or prove any noticeable immaterial impairment. The OGH makes reference to a decision of the German Federal Constitutional Court (BVerfG) dated January 14, 2021 in which the court overturned a decision by the Goslar Local Court (AG). The BVerfG ruled that the AG would have had submit significant questions about damages to the CJEU before making a decision in the final instance. Whilst the OGH disagreed with the finding of the BVerfG, it considered it helpful to refer question to the CJEU in order to ensure a harmonized application of the law within the EU.

The privacy organisation noyb will file more than 10,000 complaints for use of cookies contrary to its interpretation of compliance.

By Gail Crawford, Myria Saarinen, Tim Wybitul, Wolf Boehm, Charlotte Guerin, and Amy Smyth

On 31 May 2021, the nonprofit privacy organisation noyb (short for “none of your business”) launched a large-scale campaign to combat allegedly unlawful cookie banners and practices. According to a press release, noyb has already sent draft complaints to the operators of more than 500 frequently visited websites, and is intending to send a further 10,000 complaints this year. This is space where website operators arguably have considerable room for interpretation and to develop a variety of approaches for providing cookie information and obtaining cookie consent. Noyb’s campaign seeks to impose its interpretation of applicable cookie rules across the EU through threats of complaints to supervisory authorities.

Affected companies that fail to bring their cookie practices into compliance with noyb’s interpretation of the legal requirements will face complaints brought by noyb to the competent data protection supervisory authorities.

The decision means the CJEU will need to clarify the framework for GDPR damages claims.

By Tim Wybitul, Dr. Christoph Baus, and Dr. Isabelle Brams

The German Federal Constitutional Court has ruled that the Court of Justice of the European Union (CJEU) needs to clarify if the General Data Protection Regulation (GDPR) provides for a materiality threshold for GDPR damage claims. The decision overturns a judgment of the Goslar Local Court of 27 September 2019 regarding the unlawful sending of an advertising email.