DATA PROTECTION UPDATES- January 2025

6 Feb

  1. ICO’S 2025 ONLINE STRATEGY
    The ICO has announced
    that the focus of its online strategy for 2025 will be giving users meaningful control over online advertising. As part of this strategy, the ICO will expand its successful cookie usage audit of the top 200 UK websites to the top 1,000 UK websites to ensure compliance with data protection law. It will also clarify how publishers can lawfully deploy ‘consent or pay’ models while maintaining economic viability.
  1. PSEUDONYMISATION GUIDANCE
    The European Data Protection Board (EDPB) has adopted guidelines
    clarifying the role of pseudonimysation under the GDPR and a position
    paper on the interplay between data protection law and competition law. The guidelines highlight the utility of pseudonimised data for complying with the GDPR and mitigating risk. They also clarify that pseudonimised data remains personal data if it can be re-identified. The position paper recommends integrating competition factors into data protection assessments and vice versa, and proposes establishing a single point of contact for supervisory authorities to enhance coordination between them.
  1. TRUMP AND EU DATA PROTECTION
    During his first day in office, US President Trump signed an Executive
    Order to review and potentially rescind Biden’s national security decisions which will bring the 2023 EU-US Data Privacy Framework, which permits data transfers from the EU to the US, under review. In addition, President Trump reportedly sought the resignation of three Democratic members of the US Privacy and Civil Liberties Oversight Board, an organization central to this Framework, casting doubts on the board’s independence.
  1. THE UK GOVERNMENT ON AI
    The UK government has responded
    to the House of Commons Science, Innovation and Technology Committee’s recommendations on AI governance. It agreed that AI-specific legislation and sector-specific AI guidance are needed. It also outlined plans to introduce laws to regulate the most powerful AI models, support pro-innovation AI regulation and continue its involvement in international AI safety initiatives. These efforts are intended to foster responsible AI development and enhance regulatory coordination.
  1. UNLAWFUL DATA TRANSFERS TO CHINA
    Noyb filed complaints
    against TikTok, AliExpress, SHEIN, Temu, WeChat and Xiaomi for unlawful data transfers to China.
    EU law prohibits data transfers outside the EU unless the destination ensures equivalent protection through Standard Contractual Clauses. Given the Chinese government’s unfettered surveillance practices, compliance with EU data protection cannot be guaranteed. Noyb had made requests for the immediate suspension of the transfers and the issuing of fines for GDPR violations.
  1. FINES FOR NETFLIX
    The Dutch Supervisory Authority has fined
    Netflix €4,750,000 for violating the GDPR.
    It found Netflix had failed to provide sufficient and clear information to customers about the purpose and legal basis for collecting their personal data, what data it shared with third parties and why, its data retention period and how it ensured the safety of data transferred outside of Europe.