The fourth anniversary of the GDPR: what's happened and what's next

On the 25 May 2018, the General Data Protection Legislation ("GDPR") came into effect in the EU. Since then, the global data protection stage has seen many key developments. Four years on, the GDPR has become the new world standard for privacy and data protection, with as many as 20 countries around the world introducing new legislation that uses the GDPR as a model to shape their own data protection principles. On this anniversary, we look back at the key privacy milestones since 2018 and consider what the future of the GDPR looks like for UK businesses.


Data Reform Bill announced in Queen’s Speech

On 10 May 2022, it was announced in the Queen's Speech that the UK's data protection regime will be reformed through the introduction of the Data Reform Bill (the "Bill"). This follows the Government's consultation paper on reforms to the UK's data protection regime last September.

Facial recognition goes to war: How AI is being used in Ukraine

The Ukrainian government is reportedly using software developed by Clearview AI Inc. ("Clearview") to identify the bodies of Russian soldiers, killed in combat, to inform their family of their death.

Guidance issued by the EDPB on international transfers of personal data

On 18 November 2021, the European Data Protection Board (the "EDPB") adopted guidelines (the "Guidelines") on the interplay between Article 3 and Chapter V of the EU General Data Protection Regulation ("GDPR").  The objective of the Guidelines is to assist data controllers and data processors, especially those within the EU, with identifying an international transfer. The Guidelines are also intended to address uncertainties that have emerged following the European Commission's new standard contractual clauses, published in June 2021.

Uber accused of using discriminatory facial verification software

An employment tribunal claim has been filed against Uber by one of its drivers over its use of allegedly racially discriminatory facial-verification software.

Facebook shuts down facial recognition system after personal data concerns

Facebook has said it will delete more than 1 billion people’s individual facial recognition data in light of concerns around data protection and ethics. Concerns had been raised that facial recognition technology could compromise privacy, target marginalised groups and normalise intrusive surveillance.

Summary judgment confirms de minimis threshold continues to apply for data breaches

Judge holds that it was "not appropriate" for parties to make claims in the High Court for data protection breaches which were "frankly, trivial".

ICO looking into schools' use of facial recognition to take lunch payments

The Information Commissioner's Office announced on 18 October that it would be in contact with North Ayrshire Council after it was reported that nine North Ayrshire schools had introduced facial recognition technology to allow pupils to pay for their school lunches. The proposed use of facial recognition technology would involve the processing of biometric personal data, which should be treated as a special category of personal data under the UK GDPR where it is used to uniquely identify a data subject.

Project Red Card: privacy concerns for the Premier League

Over 850 professional football players from mid-tier and premier league clubs are seeking compensation from the data collection industry over the unconsented use of up to six years' worth of performance data, in a legal action referred to as Project Red Card.