Data Protection Updates - November 2024

17 Dec

1. AI FOR RECRUITMENT

The ICO published a report on using and developing AI tools for recruitment. The report provides seven key principles to keep in mind: (1) fairness, (2) transparency and explainability, (3) data minimisation and purpose limitation, (4) data protection impact assessments, (5) data controller and processor roles, (6) explicit processing instructions, and (7) lawful basis and additional condition.

The recommendations highlight the expectation for AI providers and employers to ensure they comply with their data protection obligations.

2. DIRECT MARKETING

The Financial Conduct Authority, the Information Commissioner’s Office (ICO) and The  Pension’s Regulator issued a joint statement providing clarity for firms and pension scheme trustees and managers.

They explain that pension scheme trustees and managers can provide regulatory communication messages to customers, even if they have not obtained direct marketing permissions, provided that they provide neutral and factual information enabling customers to make informed decisions.

3. PRIVATE INVESTIGATORS

The ICO published a Code of Conduct for private investigators to which they can sign up. Signing up to the Code will indicate which investigators are compliant with data protection requirements. The Code is aimed at helping investigators in balancing their investigations with people’s right to privacy.

4. CYBER RESILIENCE ACT

The EU Cyber Resilience Act has been published in the Official Journal of the European Union.  It sets  cybersecurity requirements for the design, development, production and market availability of products that have digital elements.

Products compliant with the Act will bear the CE marking to allow customers to identify compliant products.

Whilst some requirements will apply from 11 June 2026, full compliance will only be required from 11 December 2027.

5.  META v SCHREMS

In C-446/21 (Schrems v. Meta), the Court of Justice of the European Union (CJEU) ruled in favour of Max Schrems, significantly limiting the use of personal data for advertising by enforcing the principle of data minimisation. Additionally, the court restricted the use of publicly available personal data to its originally intended purposes, clarifying that information made public later (such as Max Schrems’ sexual orientation) cannot retroactively justify earlier data processing for different purposes (in this case, advertising

6.  COMBATTING FRAUD

The ICO released new advice urging organisations to share personal information responsibly to combat scams and fraud. It emphasises that data protection laws do not prevent fair and proportionate data sharing, and this guidance aims to help organisations understand how to protect their customers effectively while complying with legal requirements.

For more information, feel free to contact our Data Specialist Deborah Tastiel at Deborah.Tastiel@asserson.co.uk or our Commercial Law partner and Head of Technology, Simon Weinberg at Simon.Weinberg@asserson.co.uk.