Privacy & Data Winter Snapshot

Tuesday 20th February 2024

In this edition, we cover:

  • changing online safety laws in the UK and EU;
  • the ICO’s recent guidance on content moderation;
  • cookie compliance and enforcement;
  • direct marketing fine highlights the importance of consent mechanisms;
  • proposed enforcement against OpenAI/ChatGPT; and
  • compensation claims under the EU GDPR.


Online safety laws in the UK and EU

On 17 February 2024, the EU Digital Services Act (DSA) came into force, which regulates online platforms with a view to: (i) protecting fundamental rights; and (ii) preventing both illegal and harmful activities online. In terms of scope, the DSA will apply to UK companies providing services to users in the EU.

The UK’s counterpart, the Online Safety Act, which received Royal Assent in October 2023, promotes broadly the same objectives within the UK and contains obligations on user-to-user service providers to police their platforms for illegal and harmful content, with potential regulatory enforcement by Ofcom for those who do not comply.

ICO releases guidance on content moderation

The UK Information Commissioner’s Office (ICO) continues to collaborate with Ofcom (the regulator of the Online Safety Act) on effective content moderation. The ICO has, on 16 February 2024, released guidance on privacy implications when platforms undertake content moderation and how organisations should respect individual data protection rights. Read the full guidance here.

Cookie compliance: ongoing investigations by the ICO

In our most recent snapshot, we highlighted that the ICO’s Deputy Commissioner, Stephen Bonner, had warned companies which failed to include a ‘reject all’ button in their cookie banner of impending enforcement action.

In November 2023, the ICO began to write to the UK’s top 100 non-compliant websites with a warning. The ICO have now revealed in its latest update, that the majority of organisations they wrote to have implemented compliant mechanisms which comply with applicable laws.

The ICO has advised that it will continue to write to organisations with non-compliant cookie consent mechanisms. The ICO is also using AI to ‘accelerate’ its efforts. The ICO’s final message was ‘it makes sense to be compliant before the regulator comes knocking’.

HelloFresh fine highlights the requirement for consent under the UK GDPR to be ‘specific’

In January, HelloFresh was fined £140,000 by the ICO for a direct marketing campaign that comprised of 80 million marketing messages sent without appropriate consents.

HelloFresh were able to provide evidence that they sent marketing messages to only those who had positively opted into marketing and therefore provided consent. However, consents were not collected in a specific enough way to constitute valid consent under the UK GPDR. For example, consents for SMS and email marketing were bundled into one tick box which meant consent was not ‘specific’.

Please see a more thorough review of the judgment on the link below.

Read the full article here

Italian regulator announces intention to fine OpenAI

Italy’s Data Protection Authority, the Garante, announced its intention to fine OpenAI, the company behind ChatGPT, for violations of the EU GDPR. This isn’t the first time the Garante has taken issue with ChatGPT. It had temporarily banned ChatGPT in Italy last year over privacy concerns.

The Garante has now raised concerns with the way the AI model is trained. ChatGPT is trained using masses of information, some of which is data that is scraped directly from the internet, including the personal data of individuals. ChatGPT maintains it has a lawful basis to process this information. This highlights European regulators’ growing concerns over AI, with the EU’s AI Act imminent. Organisations wishing to implement AI technologies should consider their privacy and data protection obligations and undertake a full impact assessment before adopting them.

‘Damage’ must be proved in EU GDPR compensation claims

On 25 January 2024, the Court of Justice of the European Union (CJEU) confirmed that individuals seeking compensation from a data controller under EU GDPR need to prove that they suffered (“material or moral”) damage as a result of the infringement –  it is not sufficient to merely prove the infringement in question. This recent case reflects a landmark ruling of the court back in May 2023 in which the court decided that in order to claim compensation, a causal link between the infringement of data protection law and the actual damage suffered had to be proved.

Whilst the EU court’s ruling is not binding in the UK courts, this is a welcome decision for data controllers who receive claims from individuals regarding their data protection rights.

If you have any questions or would like to discuss your business’ privacy and data protection compliance, feel free to contact one of our experts here.