Blog

Ofcom fines TikTok for failure to comply with information request

On 23 July 2024, Ofcom, the UK’s communications and online safety regulator, issued its final decision to TikTok Information Technologies UK Limited ("TikTok"), imposing a financial penalty of £1,875,000 (reduced from £2,500,000) for breaches related to its compliance with the Communications Act 2003. This decision marks a crucial step in enforcing regulatory standards on video sharing platforms ("VSPs") to ensure the safety and protection of users, particularly minors, and a sign of Ofcom's likely approach to enforcement under the Online Safety Act 2023.

Cracking down on cookies 2.0: Latest complaints and regulatory actions

This blog post provides an update on the latest developments in cookie complaints and regulatory enforcements following our previous blog post on the surge of cookie-related complaints and the consequential regulatory enforcement actions by data protection authorities ("DPAs") in the UK and EU.

For the purposes of this blog post, cookies and similar technologies are collectively referred to as "cookies".

Data Subject Access Requests – Harrison v Cameron and ACL judgment

On 7 June 2024, a significant data protection judgment was handed down in the High Court case of Harrison v Cameron and ACL. The case highlights three key issues for organisations to take into account when handling data subject access requests:

1. individual directors may be under an obligation to respond to a DSAR, as well as their company;
2. requesters may in principle be entitled to be informed of the specific identities of the recipients of their personal data; and
3. the "rights of others" exemption can take into account the motive of the requester and the wellbeing and safety of other parties.

Guidance on enforcement of UK connected products regime - Product Security and Telecoms Infrastructure Act

Background

The UK Office for Product Safety and Standards ("OPSS") has issued guidance explaining its enforcement powers when addressing non-compliance with the UK Product Security and Telecoms Infrastructure Act 2022 ("PSTIA"). PSTIA regulates the security of internet-connectable products and other products capable of connecting to them, as well as electronic communications infrastructure, seeking to enhance the security and resilience of smart devices and the infrastructure that supports electronic communications. This guidance sits alongside the OPSS's Enforcement Policy, which outlines its risk-based approach to non-compliance.

The guidance explains the five enforcement actions available to the OPSS where there has been a breach of duty under Part 1 of the PSTIA. Part 1 of the PSTIA and the related Product Security and Telecommunications Infrastructure (Security Requirements for Relevant Connectable Products) Regulations 2023 (the "Security Regulations") came into effect on 29 April 2024. Please see this article for further details about the Security Regulations.

Experian's win against the ICO in Upper Tribunal

On 23 April 2024, in another setback for the UK Information Commissioner’s Office’s ("ICO") enforcement efforts, the Upper Tribunal ("Tribunal") agreed with the First-tier Tribunal's ("FTT") decision last year in favour of Experian Limited ("Experian"), dismissing the appeal brought by the UK ICO ("ICO"). This decision reinforces the lawfulness of the marketing activities in question.

ICO's third call for evidence on generative AI

Background

Important CJEU ruling on automated decision making and credit scoring under GDPR

On 7 December 2023, the Court of Justice of the European Union ("CJEU") delivered two new judgments on the scope and interpretation of the automated decision-making restrictions under the GDPR.

Poland: requirement to report even minor personal data breaches

The Polish Data Protection Authority ("Polish DPA") has fined a Polish insurance company approximately €24,000 over a seemingly minor personal data breach.

The EU AI Act: what we know so far and key takeaways

On 8 December 2023, after 38 hours of intense final negotiations, the Council of the European Union and the European Parliament reached an historic, provisional agreement on laws to regulate the use of artificial intelligence in the EU (the "AI Act"). The AI Act marks the world's first comprehensive legal framework to regulate the use of AI, aiming to ensure that "AI systems placed on the European market and used in the EU are safe and respect fundamental rights and EU values". This landmark deal signifies the EU's commitment to AI safety and puts it ahead of other countries such as the US and UK, which are yet to publish their own comprehensive legislation. China has developed its own approach to regulating AI.

The definitive version of the AI Act remains to be agreed. Work will continue at a technical level to finalise the details and text, which will then need to be confirmed by the Council and Parliament, and which is expected in early 2024. Until then, these are the key takeaways from the provisional agreement.