Important CJEU ruling on automated decision making and credit scoring under GDPR

On 7 December 2023, the Court of Justice of the European Union ("CJEU") delivered two new judgments on the scope and interpretation of the automated decision-making restrictions under the GDPR.

Poland: requirement to report even minor personal data breaches

The Polish Data Protection Authority ("Polish DPA") has fined a Polish insurance company approximately €24,000 over a seemingly minor personal data breach.

The EU AI Act: what we know so far and key takeaways

On 8 December 2023, after 38 hours of intense final negotiations, the Council of the European Union and the European Parliament reached an historic, provisional agreement on laws to regulate the use of artificial intelligence in the EU (the "AI Act"). The AI Act marks the world's first comprehensive legal framework to regulate the use of AI, aiming to ensure that "AI systems placed on the European market and used in the EU are safe and respect fundamental rights and EU values". This landmark deal signifies the EU's commitment to AI safety and puts it ahead of other countries such as the US and UK, which are yet to publish their own comprehensive legislation. China has developed its own approach to regulating AI.

The definitive version of the AI Act remains to be agreed. Work will continue at a technical level to finalise the details and text, which will then need to be confirmed by the Council and Parliament, and which is expected in early 2024. Until then, these are the key takeaways from the provisional agreement.

Driving data protection compliance: employee vehicle monitoring

What is vehicle monitoring and why?

Vehicle monitoring refers to the practice of collecting and analysing data related to the operation and usage of vehicles. Businesses are increasingly using employee vehicle monitoring to improve productivity, optimise management, and ensure safety, including the use of telematics systems consisting of GPS technology, onboard vehicle diagnostics and other inbuilt software. GPS technology enables organisations to monitor and manage their vehicles by collecting real-time data on location, speed, fuel use, and more. This data can be used for optimising routes, improving safety, and cutting costs. Vehicle telematics systems that combine GPS technology with other technology telematics, enable organisations to gain more sophisticated insights into driver behaviour, vehicle diagnostics, and fuel use. Apart from speed, a telematics system can capture details such as accelerator and brake usage frequency. Other monitoring tools, like dashcams and in-cabin cameras, can enhance security by recording footage inside and around the vehicle.

The monitoring of vehicle telematics systems enables organisations to gather a wealth of data, encompassing not just vehicle-related data, but also personal data such as employee whereabouts, driving habits and other activities. It may even be possible for organisations to collect personal data about third parties, such as passengers or other road users.

ICO launches consultation on new Data Protection Fining Guidance

On 2 October 2023, the UK's Information Commissioner's Office ("ICO") released its draft Data Protection Fining Guidance ("Draft Guidance"). The Draft Guidance provides a comprehensive overview of the legal framework underpinning the ICO's authority to levy fines, the conditions that warrant the issuance of penalty notices, and the factors that influence fine calculations. The Draft Guidance is now open for consultation until 27 November 2023.

Cracking down on cookies: Recent complaints and regulatory enforcement

While the rules relating to the use of cookies and similar tracking technologies in the UK and Europe are long established, it is only in recent years that we have seen a targeted focus by data protection authorities ("DPAs") to crack down on cookie-related compliance. This reaction from the regulators is partly a response to increasing complaints from data subjects and partly due to focused efforts by privacy activists calling for stricter regulation and enforcement action.

Breach response: How do we reconcile international incident and breach reporting requirements?

The exponential increase in the number of cybersecurity threats has led to privacy and security executives acknowledging the need for reconciliation of incident and breach reporting requirements.

ICO publishes new guidance on employee monitoring

On 3 October 2023, the Information Commissioner's Office (the "ICO") published new guidance on employee monitoring. This aims to provide practical advice to ensure that employers comply with their obligations under the UK GDPR and Data Protection Act 2018.