Month-By-Month Analysis

Month-By-Month Analysis

As you might have gathered, 2023 was an exhilarating year for privacy and data protection watchers. Here’s a highlight from each month of 2023.

❄️ January: Ireland’s Meta fine reveals conflict between EU regulators

On 4 January 2023, the Irish DPC issued a press release announcing its €390 million fine against Meta.

We’ve covered the fine itself. But buried at the bottom of the press release was a very interesting statement—the Irish regulator said it would take the EDPB to court.

As part of the “binding decision” that ordered the DPC to punish Meta for relying on “contract”, the EDPB also directed the Irish regulator to investigate Meta’s processing of “special category data”.

Ireland refused.

“The EDPB does not have a general supervision role akin to national courts in respect of national independent authorities,” the Irish DPC said. “It is not open to the EDPB to instruct and direct an authority to engage in open-ended and speculative investigation.”

Ireland has since lodged an “action for annulment” at the CJEU, which would overturn this part of the binding decision. Over a year later, the case has still not been heard. But the result will determine exactly how much power the EDPB yields over national regulators.

Read our article How (and Whether) GDPR Enforcement Works for more details about Ireland’s long-running dispute with its fellow DPAs.

💖 February: FTC enforcement rampage begins

On 1 February 2023, the US Federal Trade Commission (FTC) issued the first in a series of “consent orders” that would hit many companies through 2023.

This first target was GoodRX, a prescription discount company that shared users’ data with Facebook, Google, and other companies without consent.

The FTC’s action relied on the Health Breach Notification Rule (HBNR). This decades-old law requires certain companies to notify people if their “personal health information” was breached in a “security incident”.

But GoodRX hadn’t been hacked, and no medical records were exposed. Like thousands of other companies, the company shared email addresses, device information, and app activity with Facebook and Google.

For US businesses, the case sent an important message:

  • Seemingly low-risk data can be “personal health information” if it’s associated with a person’s use of health-related websites or services.
  • Sharing data with advertisers without proper notice or consent can be a “security incident” subject to FTC enforcement.

The FTC followed up with two further actions against health companies, then focused on kids’ privacy. So far in 2024, we’ve seen actions against data brokers and lead generation firms.

Read more about the FTC’s actions against companies using Meta Pixel and Google Analytics in our article Big Tech’s Tracking Tools.

🌸 March: UK tables new data protection reform bill

On 8 March 2023, the UK government announced a new version of its data protection and privacy reform bill, the Data Protection and Digital Information Bill (DPDIB).

The UK government had spent several years deriding the GDPR and promising a new law that would “unleash innovation” among UK businesses. But many of the DPDIB’s proposals appeared relatively modest.

  • The new law would provide a set of “recognised legitimate interests”, removing the need for controllers to conduct a “balancing test” before undertaking certain activities.
  • Changes to cookie consent rules would enable website operators to set certain analytics and security cookies without consent.
  • The obligation to appoint a Data Protection Officer (DPO) would be replaced by a requirement to designate a “Senior Responsible Individual” from an organisation’s senior management team.

While many of the bill’s changes appear insignificant, the devil is in the detail.

The UK’s EU adequacy decision is up for renewal in 2025, and allowing controllers to process personal data for vague purposes such as “national security”—without any consideration of data subjects’ rights—might meet opposition among some EU institutions.

🌧️ April: European Commission reveals ‘very large online platforms’ under the EU Digital Services Act

Along with the GDPR and the ePrivacy Directive, other EU legislation also has a role in protecting people’s privacy.

The EU’s Digital Services Act (DSA) is one example. The law takes full effect in February 2024, but a list of companies particularly impacted by the DSA was published by the European Commission last April.

These companies are the Very Large Online Platforms (VLOPs) and Very Large Online Search Engines (VLOSEs), whose platforms attract 10% of the EU population (currently 45 million people) as active users every month.

Here’s the Commission’s list of Very Large Online Platforms (VLOPs), which have extensive transparency requirements and ad-targeting rules under the DSA:

  • Alibaba AliExpress
  • Amazon Store
  • Apple AppStore
  • Facebook
  • Google Play
  • Google Maps
  • Google Shopping
  • Instagram
  • LinkedIn
  • Pinterest
  • Snapchat
  • TikTok
  • Twitter
  • Wikipedia
  • YouTube
  • Zalando

The two Very Large Online Search Engines (VLOSEs) are, perhaps unsurprisingly, Google and Bing.

Note that only two European companies— and Zalando—feature on the Commission’s list.

The dominance of US companies (and one from China) is partly why the EU introduced the DSA’s “sister law”, the Digital Markets Act (DMA).

🌼 May: CJEU delivers three GDPR judgments in one day

On 4 May last year, data protection professionals were treated to three GDPR-related judgments from the CJEU.

Here’s a key takeaway from each case:

  • Case C-487/21: If you receive a subject access request that asks for a copy of the data subject’s personal data, you should provide an actual copy of the data rather than a summary—unless a summary would better help the data subject to check that you’re processing their data lawfully.
  • Case C-300/21: A data subject can sue an organisation for damages if the organisation violates the GDPR. But there has to be some actual damage—whether material (such as a financial loss) or non-material (such as distress). The GDPR is not a “strict liability” law.
  • Case C-60/22: The GDPR’s “right to erasure” allows data subjects to delete their personal data if it has been processed unlawfully. But the “unlawfulness threshold” is not met merely because a controller fails to keep a Record of Processing Activities (RoPA) or implement a joint controller agreement.

There were many more data protection judgments delivered throughout 2023 in areas such as data subject rights, data processors, and automated decision-making—and we might be an even larger number in 2024.

☀️ June: Three new US state privacy laws pass in one week

Last June, three US states passed or enacted significant privacy laws in the same week.

Connecticut’s governor signed SB 3, amending the state’s comprehensive privacy law, the Connecticut Data Privacy Act (CTDPA), shortly before it took effect on July 1. SB 3 significantly broadened the CTDPA’s application and introduced new rules around “consumer health data” and kids’ privacy.

Nevada enacted its My Health My Data Act (MHMDA). Nevada’s MHMDA copies and pastes Washington’s law of the same name. But while the Washington MHMDA is extremely strict (by US standards), Nevada passed a watered-down version with a narrower scope.

Finally, the Oregon Consumer Data Privacy Act (OCDPA) passed. The OCDPA is a fairly unremarkable “Virgina-style” comprehensive privacy law. But with a relatively broad application and the full suite of controller obligations, Oregon confirmed that some states have an appetite for stricter privacy rules.

🎆 July: European Commission approves EU-US Data Privacy Framework

In July 2023, three years of negotiations between Brussels and Washington concluded when the European Commission adopted an adequacy decision in respect of the EU-US Data Privacy Framework (DPF).

Since 2015, Max Schrems has torpedoed two transatlantic transfer frameworks, Safe Harbor and Privacy Shield, leaving EU companies struggling to share personal data with companies in the US.

The new framework attempts to address deficiencies in the previous two, including a lack of “judicial redress” for people subject to illegal surveillance by US intelligence services.

The US Department of Commerce has thrown multiple avenues for redress at the EU-US DPF, including a “Data Protection Review Court”. But whether this “court” is really a “court”—by EU standards—remains to be seen.

Within months of the DPF’s approval, French lawmaker and data protection regulator Phillipe Latombe had submitted an “action for annulment” at the CJEU, alleging that the framework violates EU law.

But as Latombe’s choice of legal mechanism is intended for EU institutions and member states, we might not hear the court’s response to his arguments.

As expected, Max Schrems has confirmed that he plans to challenge the DPF via a complaint to the Austrian DPA. So EEA-based organisations might wish to think twice before relying on the framework.

Should you trust the EU-US DPF? Or is it less risky to use EU-based service providers? Read Frequently Asked Questions about the New EU-US Data Privacy Framework to help you decide.

🍦 August: India passes Digital Personal Data Protection Act

In August, India’s long-awaited Digitial Personal Data Protection Act (DPDPA) finally passed, after many years of negotiations and re-drafts.

Like most modern data protection laws, India’s DPDPA is clearly influenced by the GDPR. But there are many important differences between the two laws.

For example:

  • Instead of “data subjects”, India’s law has “data principals”.
  • “Data controllers” are “data fiduciaries”.
  • “Legitimate interests” has a similar concept called ”certain legitimate uses”. But unlike the GDPR, the law includes nine “legitimate uses” and only one other legal basis: Consent.

Another important difference: Under India’s new law, all international data transfers are allowed by default, with the government empowered to ban transfers to specific jurisdictions.

While some commentators have criticised the DPDPA’s limited impact on government bodies, the law will bring new rights and protections to 1.4 billion people in an increasingly tech-focused society.

🍁 September: EDPB and European Data Protection Supervisor (EDPS) comment on GDPR enforcement reforms

In September, the EDPB and the EDPS (which regulates data protection among the EU’s institutions) gave an opinion on the “Procedural Regulation” proposal to improve GDPR enforcement.

The Procedural Regulation was proposed by the European Commission last July. The law intends to amend the GDPR with the aim to:

  • Provide a complaint form designed to standardise cross-border enforcement.
  • Reform the rules on how data subjects contribute to formal GDPR investigations.
  • Implement a new “cooperation and consistency” system to help DPAs work together.
  • Add specific deadlines in the complaint resolution process.

In their joint opinion, the EDPB and EDPS largely approved of the Commission’s proposals, but—perhaps unsurprisingly—the regulatory bodies recommended greater involvement for national DPAs in the complaint resolution process.

Other observers are less enthusiastic about the reforms, including Max Schrems, who called the proposals an “attack on users’ rights”.

🎃 October: Clearview AI defeats UK regulator’s GDPR fine

October saw a victory for New York-based Clearview AI.

Clearview is building a very large database. The company scrapes images of people’s faces from websites and social media. It has amassed over 20 billion facial images. Each image is associated with a biometric identifier.

Clearview sells access to its database to law enforcement agencies (and, previously, private sector companies). Police provide Clearview with a picture of a person of interest, and Clearview uses biometrics to match the photo to a person in its database.

People in Europe are present in Clearview’s database. If you think this violates the GDPR, you’re right—at least according to regulators in the UK, France, Italy, Greece, Germany, and elsewhere.

The UK ICO fined Clearview around €9 million in 2022, citing violations of the UK GDPR’s rules on transparency, data subject rights, special category data, Data Protection Impact Assessments (DPIAs), and more.

But last October, Clearview beat the ICO at appeal, meaning it won’t have to pay a penny.

Clearview won on some pretty technical grounds—the UK GDPR does not cover activities that fell outside EU law at the time of Brexit. Because Clearview’s clients (the appeal tribunal found) are non-EU law enforcement agencies, its activities were not subject the UK GDPR.

Clearview has not yet paid any of the multi-million euro fines issued against it by regulators across Europe. But the company has so far chosen to appeal only the UK’s penalty.

The company has long remained adamant that it doesn’t have to comply with the GDPR. While Clearview’s victory in the UK doesn’t easily transpose onto EU versions of the GDPR, the company will undoubtedly be happy with the tribunal’s endorsement of its position.

🦃 November: California regulator publishes draft AI decision-making rules

In November, as the EU struggled to reach an agreement on the AI Act, California published groundbreaking draft regulations on automated decision-making technology (ADMT) under the CCPA.

The state’s dedicated privacy regulator, the CPPA, sets out strict rules for businesses using AI in the following areas:

  • Financial or lending services,
  • Housing
  • Insurance
  • Education enrolment or opportunity
  • Criminal justice
  • Employment or independent contracting opportunities or pay
  • Healthcare services
  • Essential goods or services

Under the CPPA’s proposals, businesses using automation in these areas must give consumers meaningful information about how their systems operate, offer human intervention, and state whether their systems have been assessed for bias.

The regulator is also considering extending the rules to companies that profile individuals for targeted advertising purposes.

While arguably not as strict as the GDPR’s rules on automated decision-making, the CPPA’s proposals would be the first meaningful attempt to regulate AI in the US private sector. And the breadth of the regulations means thousands of companies would be impacted—in California and beyond.

🎄 December: EU AI Act crawls closer to the finish line as lawmakers reach agreement

To close the year, the EU’s institutions confirmed that they had reached a deal on the final shape of the AI Act.

At the time, we didn’t have the finished text of the regulation. But a press release from the Parliament confirmed that the deal included the following:

  • Strict safeguards on the development of general-purpose AI systems.
  • Restrictions on the use of use biometric identification systems by law enforcement agencies.
  • A ban on “social scoring” systems
  • A prohibition on using AI to manipulate people or exploit people’s vulnerabilities.
  • A new complaints process
  • A right to obtain an explanation about the logic involved in AI-based decisions.
  • A new penalty regime, with fines of up to €35 million or 7% of global turnover for the most serious offences.

While the Parliament and the Council did reach a compromise, they had yet to quite reach the finish line.

Even in early 2024, the AI Act has not yet passed—and it could be several years before it takes effect. But the law is extremely ambitious and will majorly impact the economy and human rights in the EU (for better or worse).