Tag: Privacy

Article 15 GDPR and “Meaningful Information” about Automated Decision-Making: What does this mean for AI? 

Article 15 of the EU and UK GDPR not only gives Data Subjects the right to obtain their personal data from the Data Controller but also the right to receive additional information about the processing. This includes: 

 “the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.” 

A recent ruling by the European Court of Justice (ECJ) sheds light on the concept of “meaningful information” and will have implications for those deploying AI systems. The case in question, C-203/22 Dun & Bradstreet Austria GmbH, concerns an Austrian mobile telecom operator. The company refused to enter into a contract with a customer due to their poor credit score. This decision was based on an automated credit evaluation provided by a third-party credit agency. 

The customer requested access to the information held by the credit agency so that they could understand the decision. The customer was dissatisfied with the disclosed information and so took legal action to demand further clarification on the logic behind the automated decision-making process. The core issue was whether the credit agency was obligated to provide more detailed information about the automated process under Article 15(1)(h) GDPR (as quoted above). The agency argued that doing so would expose trade secrets. However, the court ruled that it must provide “meaningful information about the logic involved” as required by GDPR. 

The Enforcement Court in Austria, tasked with enforcing the ruling, referred the following questions to the ECJ: 

  1. Does “meaningful information about the logic involved” require the controller to provide a comprehensive explanation of the procedures and principles used to come to a specific decision? 
  1. In cases where the controller argues that the requested information involves third-party data protected by the GDPR or trade secrets, is the controller obliged to submit the potentially protected information to supervisory authorities or courts for review? 

Meaningful Information 

In response to the first question, the ECJ confirmed that the phrase “meaningful information about the logic involved” fundamentally refers to all relevant details concerning the automated decision-making process. This includes an explanation of the procedures and principles used to arrive at the decision. 

While the ECJ made it clear that “meaningful information” does not require the disclosure of complex algorithms, it does require a sufficiently detailed explanation of the decision-making process. It emphasised that, in line with Articles 13(2)(f) and 14(2)(g) of the GDPR, which establish transparency requirements, the information must be clear, concise, and easily understandable. Data Subjects should be able to comprehend how their personal data is being processed. The right of access enshrined in Article 15 of the GDPR allows individuals to verify the accuracy and lawfulness of the processing of their personal data, which is a crucial safeguard under Article 22(3) that governs automated decision-making and profiling. 

Trade Secrets  

On the second question, the ECJ struck a delicate balance between Data Subjects’ right to access their data and the protection of third-party rights, such as trade secrets. It reiterated that while data protection is a fundamental right, it must be weighed against intellectual property protections as outlined in Recital 63 of the GDPR. 

The ECJ said that if providing access to personal data could violate the rights of third parties, such as revealing trade secrets, the controller must assess whether it is possible to disclose the information without infringing on third party rights. In cases of conflict, the issue must be referred to the relevant supervisory authority or court to decide on an appropriate solution. 

Importantly, the ECJ ruled that no Member State can impose a blanket ban on disclosing business or trade secrets, as doing so would undermine the GDPR’s requirement for a balanced approach to competing rights. In situations where access requests are contested, controllers are required to provide relevant information to supervisory authorities or courts, enabling an informed decision based on the principle of proportionality. 

So what are the implications of this ECJ ruling for AI systems 

While the ruling specifically focusses on the EU GDPR, it underscores the growing importance of transparency in data processing practices, especially when implementing automated decision-making processes. Organisations using AI for automated decision-making must ensure transparency by providing data subjects with clear, understandable explanations of how decisions are made even if complex algorithms are involved. Developers must design systems that can deliver “meaningful information” about the logic behind automated outcomes, while deployers must ensure this information is communicated effectively to individuals. Transparency is also a key theme of the recently enacted EU AI Act

Act Now recently launched the AI Governance Practitioner Certificate. This course is designed to equip compliance professionals with the essential knowledge and skills to navigate this transformative technology being implemented within their organisations while upholding the highest standards of data protection and information governance. 

Footballers’ Objections to Data Processing: Red Card or Red Herring? 

They play for us, not for the odds, 
They’re not just names for betting gods, 
If you want stats, you best be fair — 
Cos we stand with the players, everywhere!” 

Could this become a popular chant in football stadiums? It could, if a group of football players get their way.  

In the era of data-driven sports and digital fan engagement, betting and gaming companies increasingly rely on detailed player data to power their platforms.
From setting betting odds to fuelling fantasy leagues and live-match experiences, this data is central to the user experience. The data ranges from average goals-per-game for an outfield player to height, weight and passes during a game. Some of this data may be sold to the companies by clubs whilst other data may be collected by using public sources or by attending matches.  

Back in 2021, Ibrahim Hasan was interviewed by BBC Radio 4 when football players were threatening legal action against companies for the trade in their personal data. The players, led by former Cardiff City manager Russell Slade, sought compensation for the trading of their performance data over the past six years by various companies as well as an annual fee for any future use.  We were sceptical, at the time, about legal basis of any potential claim and its likelihood of success (blog post here).   

The GDPR does give players rights over their personal data which allow them to exercise some element of control including the right to see what data is held about them, to object to its processing and to ask for it to be deleted. Last month, Computer Weekly reported that the Global Sports Data and Technology Group, of which Russell Slade is a director, has submitted objection requests, on behalf of the players they represent, to gaming, betting and data-processing companies over the use of their data. They are citing ethical concerns with how the data distribution can affect the players’ career prospects.  

Article 21 of the UK GDPR states: 

“The data subject shall have the right to object, on grounds relating to his or her particular situation, at any time to processing of personal data concerning him or her which is based on point (e) or (f) of Article 6(1), including profiling based on those provisions.” 

Clearly one of the legal basis upon which betting and gaming companies process players’ personal data is legitimate interests (Article 6(1)(f)) of the UK GDPR, and so Article 21 is engaged.  However, the second paragraph of Article 21 provides a reason for the companies to refuse the objection requests: 

“The controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.” 

What could be “compelling legitimate grounds for the processing”?  The companies might argue that their use of player data contributes to a larger economic ecosystemthat ultimately benefits all stakeholders in football, including the players themselves. Their case could rest on the idea that engaging fans through betting and interactive gaming drives up interest in football. Increased viewership, in turn, boosts broadcasting revenues, club sponsorship deals, and the market value of football competitions; benefits that indirectly lead to higher wages and endorsement deals for the players. By providing platforms that stimulate engagement, betting companies help sustain and expand the financial health of the sport, from which players also profit. 

Let’s see where this goes. If court action follows, not only will the result have a big impact on the sports data industry but it could also lead to data protection themed chants on the terraces!  

This and other GDPR developments will be discussed in detail on our upcoming GDPR Update workshop. We have a few places left on our next 
GDPR Practitioner Certificate course starting on 29th May. 

What is the Role of IG Professionals in AI Governance? 

The rapid rise of AI deployment in the workplace brings a host of legal and ethical challenges. AI governance is essential to addresses these challenges and ensuring AI systems are transparent, accountable, and aligned with organisational values. 

AI governance requires a multidisciplinary approach involving, amongst others, IT, legal, compliance and industry specialists. IG professionals also possess a unique skill set that makes them key stakeholders in the governance process. Here’s why they should actively position themselves to play a key role in AI governance within their organisations. 

AI Governance is Fundamentally a Data Governance Issue 

At its core, AI is a data-driven technology. The fairness and reliability of AI models depend on the quality, accuracy, and management of data. If AI systems are trained on poor-quality or biased data, they can produce flawed and discriminatory outcomes. (See Amnesty International’s report into police data and algorithms.)  

IG professionals specialise in ensuring that data is accurate, well-structured, and fit for purpose. Without strong data governance, organisations risk deploying AI systems that amplify biases, make inaccurate predictions, or fail to comply with regulatory requirements. 

Regulatory and Compliance Expertise is Critical 

AI governance is increasingly being shaped by regulatory frameworks around the world. The EU AI Act and regulations and guidance from other jurisdictions highlight the growing emphasis on AI accountability, transparency, and risk management. 

IG professionals have expertise in interpreting legislation (such as GDPR, PECR and DPA amongst others) which positions them to help organisations navigate the complex legal landscape surrounding AI. They can ensure that AI governance frameworks comply with data protection principles, consumer rights, and ethical AI standards, reducing the risk of legal penalties and reputational damage. 

Managing AI Risks and Ensuring Ethical AI Practices 

AI introduces new risks, including algorithmic bias, privacy violations, security vulnerabilities, and explainability challenges. Left unchecked, these risks can undermine trust in AI and expose organisations to significant operational and reputational harm. 

IG Governance professionals excel in risk management (After all, that is what DPIAs are about). They are trained to assess and mitigate risks related to data security, data integrity, and compliance, which directly translates to AI governance. By working alongside IT and ethics teams, they can help establish clear policies, accountability structures, and risk assessment frameworks to ensure AI is deployed responsibly. 

Bridging the Gap Between IT, Legal, and Business Functions 

One of the biggest challenges in AI governance is the lack of alignment between different business functions. AI development is often led by technical teams, while compliance and risk management sit with legal and governance teams. Without effective collaboration, governance efforts can become fragmented or ineffective. 

IG professionals act as natural bridges between these groups. Their work already involves coordinating across departments to align data policies, privacy standards, and regulatory requirements. By taking an active role in AI governance, they can ensure cross-functional collaboration, helping organisations balance innovation with compliance. 

Addressing Data Privacy and Security Concerns 

AI often processes vast amounts of sensitive personal data, making privacy and security critical concerns. Organisations must ensure that AI systems comply with data protection laws, implement robust security measures, and uphold individuals’ rights over their data. 

IG and Data Governance professionals are well-versed in data privacy principles, data minimisation, encryption, and access controls. Their expertise is essential in ensuring that AI systems are designed and deployed with privacy-by-design principles, reducing the risk of data breaches and regulatory violations. 

AI Governance Should Fit Within Existing Frameworks 

Organisations already have established governance structures for data management, records retention, compliance, and security. Instead of treating AI governance as an entirely new function, it should be integrated into existing governance models. 

IG and Data Governance professionals are skilled at implementing governance frameworks, policies, and best practices. Their experience can help ensure that AI governance is scalable, sustainable, and aligned with the organisation’s broader data governance strategy. 

Proactive Involvement Prevents Being Left Behind 

If IG professionals do not step up, AI governance may be driven solely by IT, data science, or business teams. While these functions bring valuable expertise, they may overlook regulatory, ethical, and risk considerations. Fundamentally, as IG professionals, our goal is to ensure organisations are using data and any new technology responsibly. 

So we are not saying that IG and DP professionals should become the new AI overlords. But by proactively positioning themselves as key stakeholders in AI governance, IG and Data Governance professionals ensure that organisations take a holistic approach – one that balances innovation, compliance, and risk management. Waiting to be invited to the AI governance conversation risks being sidelined in decisions that will have long-term implications for data governance and organisational risk. 

Final Thoughts 

To reiterate, AI governance should not be the sole responsibility of IG and Data Governance professionals – it requires a collaborative, cross-functional approach. However, their expertise in data integrity, privacy, compliance, and risk management makes them essential players in the AI governance ecosystem. 

As organisations increasingly rely on AI-driven decision-making, IG and Data Governance professionals must ensure that these systems are accountable, transparent, and legally compliant. By stepping up now, they can shape the future of AI governance within their organisations and safeguard them from regulatory, ethical, and operational pitfalls. 

Our new six module AI Governance Practitioner Certificate will empower you to understand AI’s potential, address its challenges, and harness its power responsibly for the public benefit.  

AI in Local Government: Navigating the Legal Issues 

Artificial Intelligence is revolutionising many sectors, and local government is no exception. Councils are increasingly integrating AI to enhance service delivery, optimise resource management, and engage with citizens. AI Use cases include: 

  • Infrastructure Maintenance and Management: Blackpool Council uses AI for road maintenance through Project Amber; employing AI-powered satellite imagery to detect road damage and potholes.  
  • Public Engagement: Newham Council uses Chatbot Max, a multilingual chatbot, to assist residents with parking permits and penalty charge queries. The council says that in six months, the chatbot handled over 10,000 questions, saved 84 hours in call time, and generated £40,000 in savings.  
  • Crime Prevention and Detection: Wolverhampton Council has installed AI powered CCTV cameras to crack down on fly-tippers. The cameras have 360 degree vision and can recognise when someone is fly-tipping, sending an immediate report to the Council. 
  • Predictive Analytics for Social Services: In 2018 Hackney Council trialled the Early Help Predictive System . By analysing data on debt, housing, unemployment, school attendance, and domestic violence, the AI system profiled families to determine their need for intervention. Although this pilot programme was dropped a year later, there are many other AI tools which aim to help cash strapped councils speed up social work. One such tool is Magic Notes which records social work meetings and emails the social worker a transcript, summary and suggested actions for inclusion in case notes. 

Expect many more AI use cases soon, as the public sector is made to give truth to the Prime Minister recent speech in which he pledged that the Government will use AI’s power to ”turbocharge” the economy and improve public services. 

Legal Considerations  

While AI offers numerous benefits, several legal issues have to be navigated to ensure responsible and lawful use. These include: 

Data Protection and Privacy: Where personal data is involved training or deploying AI models, of course the GDPR applies. The transparency provisions and the requirement for a legal basis are of particular importance. In 2022, the Information Commissioner’s Office (ICO) issued a fine of more than £7.5 million to Clearview AI for GDPR breaches. This related to the way the company compiled its online database containing 20 billion images of people’s faces and data scraped from the internet.  The company did manage to successfully appeal the fine but the ICO, and other GDPR regulators in the EU, have issued clear warnings to AI companies to ensure they comply with GDPR. 

Transparency and Explainability: The decision-making processes of AI systems can be opaque. Clear information about how AI systems operate and make decisions should be provided. The London Borough of Camden has co-created a Data Charter with residents to ensure clarity and accessibility regarding data use, including AI applications. They produced accessible communications and animated explainers to demystify AI processes for the public.  

Bias and Discrimination: AI systems trained on biased data can perpetuate existing inequalities. Last year, a black Uber Eats driver received a payout after “racially discriminatory” facial-recognition checks prevented him accessing the app to secure work. Councils must be vigilant in auditing AI algorithms to detect and mitigate biases. This involves regular assessments and adjustments to ensure AI applications promote fairness and equality. 

Intellectual Property and Copyright: The use of AI, especially Generative AI applications like ChatGPT, may involve the use of copyrighted materials, raising intellectual property concerns. In December, the Government launched a consultation on Copyright and Artificial Intelligence.  

Accountability and Liability: Determining liability when AI systems cause harm is a complex legal issue. Clear accountability frameworks must be established ensuring that there is always human oversight of AI decisions. This includes defining who is responsible for AI-driven actions and implementing mechanisms for redress in cases of error. 

Regulatory Compliance: There is still no sign on an AI Bill which was mentioned in the King’s Speech. However there is plenty of AI guidance for the public sector. The recently published AI Playbook for the UK Government updates and expands on the Generative AI Framework for HMG. It aims to “help government departments and public sector organisations harness the power of a wider range of AI technologies safely, effectively, and responsibly.”  

The adoption of AI in local government presents a unique challenge especially for compliance professionals. By developing a deeper understanding of AI, they can play a leading role in addressing the legal and ethical dilemmas posed by emerging AI technologies as well as position themselves as forward-thinking leaders who can bridge the gap between law, ethics, and technology.  

Act Now recently launched the AI Governance Practitioner Certificate. This course is designed to equip compliance professionals with the essential knowledge and skills to navigate this transformative technology while upholding the highest standards of data protection and information governance.   

We are registering interest in this course which, subject to demand, will run in July, October and November. Register your interest now (no obligation).  

Prohibited AI Systems under the EU AI Act 

This week we wrote about the first parts of the EU AI Act becoming effective on Sunday. One of these was a ban on prohibited AI systems. These are AI practices that are deemed unacceptable due to their potential risks to European values and fundamental rights. 

Yesterday, the European Commission published its Guidelines on Prohibited Artificial Intelligence (AI) Practices. They specifically address practices such as harmful manipulation, social scoring, and real-time remote biometric identification, amongst others.  
   
It is important to note that the guidelines are in draft and subject to formal approval. Nevertheless they offer valuable insight and should be studied carefully by AI developers and users in the EU and beyond. This includes UK organisations due to the extra territorial nature of the EU AI Act.  

Breach of the Prohibited AI Systems provisions of the EU AI Act carries a maximum fine of €35 million or 7% of total worldwide annual turnover (whichever is higher). However, the fining provisions do not come into force until 2nd August 2025. 

Do you wish to keep abreast of AI developments? Do you need to sharpen your AI deployment skills? Join our forthcoming AI workshops  Artificial Intelligence: How to Implement Good Information Governance  and the EU AI Act and UK Approach to Regulation. We can also help with your AI literacy training programme through our in house customised training. Get in touch for a quote.

What’s the Problem with Deepseek? 

DeepSeek, the Chinese equivalent of ChatGPT, is making big waves in the AI world. Since its launch, it has quickly become the top-rated free app on Apple’s App Store, challenging the notion that the US leads the world in AI development. 

DeepSeek’s Chinese developers released the latest version of its app on 20th January (the day of US President Trump’s inauguration) rapidly gaining attention from AI experts and the tech industry. Powered by the open-source DeepSeek-V3 model, it was reportedly developed for less than $6 million, a fraction of the billions spent by its US rivals. Recently, OpenAI and other companies pledged to invest $500 billion in US AI infrastructure. President Trump announced this as “the largest AI infrastructure project in history” to maintain technological leadership in the US. However, DeepSeek’s emergence has impacted US tech stocks. On Monday the Nasdaq index dropped 3%, with chip-making giant Nvidia losing almost $600 billion in market value—the biggest one-day loss in US stock market history.  

Privacy Issues 

While the Chinese media and open-source AI proponents may be celebrating, DeepSeek’s rise necessitates scrutiny regarding its privacy and security risks. Some of these are:  

  • Data Collected: DeepSeek gathers sensitive personal data through natural conversations. 
  • Potential for Influence and Manipulation: As an AI chatbot, DeepSeek can shape opinions and conduct influence campaigns. 
  • Data Storage and Accessibility: Data stored on servers in China is fully accessible to the Chinese government. 
  • Level of User Engagement: Users may unknowingly reveal personal or confidential information through interactive conversations. 

Many of these issues are the same as TikTok which was temporarily banned in the US last week. 

Organisations need to closely monitor the AI models employees use; the US Navy recently advised its members to avoid using DeepSeek due to potential security and ethical concerns. It is also important to establish clear policies, procedures, and guidance, especially regarding GDPR compliance.  

Yesterday the Irish Data Protection Commission confirmed to TechCrunch that it has sent a note to DeepSeek requesting details concerning how the data of citizens in Ireland is processed by the company. The Italian data protection regulator has sent a similar note to the company and the DeepSeek mobile app no longer appears in both the Google and Apple app stores in Italy. 

Meanwhile (and with a straight face) OpenAI has accused DeepSeek of distilling knowledge from its models, breaching terms of use, and infringing on intellectual property. OpenAI, is itself facing numerous AI copyright lawsuits! 

2025 has just started and the AI news feed is already buzzing.  

Join ourArtificial Intelligence and Machine Learning, How to Implement Good Information Governanceworkshop.   

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today! 

The Data (Use and Access) Bill: All change or much of the same? 

On 23rd October 2024, the Labour Government introduced into Parliament the Data Use and Access Bill. The Bill was highlighted in the King’s Speech in July (under its old name of the “Digital Information and Smart Data Bill”) where his Majesty announced that there would be “targeted reforms to some data laws that will maintain high standards of protection but where there is currently a lack of clarity impeding the safe development and deployment of some new technologies.” However this statement of intent does not match the reality; many of the Bill’s core provisions are a “cut and paste” of the Data Protection and Digital Information Bill (DP Bill), which failed to pass before last year’s snap General Election. 

Key Provisions 

Let’s examine the key provisions of the new Bill against those in the DP Bill. 

Smart Data: The new Bill retains the provisions from the DP Bill that will enable the creation of a legal framework for Smart Data. This involves companies securely sharing customer data, upon the customer’s (business or consumer) request, with authorised third-party providers (ATPs) who can enhance the customer data with broader, contextual ‘business’ data. These ATPs will provide the customer with innovative services to improve decision making and engagement in a market. Open Banking is the only current example of a regime that is comparable to a ‘Smart Data scheme’.
The new Bill will give such schemes a statutory footing, from which they can grow and expand.  

Digital Identity Products: Just like its predecessor, the new Bill contains provisions aimed at establishing digital verification services including digital identity products to help people quickly and securely identify themselves when they use online services
e.g. to help with moving house, pre-employment checks and buying age restricted goods and services. It is important to note that this is not the same as compulsory digital ID cards as some media outlets have reported. 

Research Provisions: The new Bill keeps the DP Bill’s provisions that clarify that companies can use personal data for research and development projects, as long as they follow data protection safeguards.  

Legitimate Interests: The new Bill retains the concept of ‘recognised legitimate interests’ under Article 6 of the UK GDPR- specific purposes for personal data processing such as national security, emergency response, and safeguarding for which Data Controllers will be exempt from conducting a full Legitimate Interests Assessment when processing personal data.  

Automated Decision Making: Like the DP Bill, the new Bill seeks to limit the right, under Article 22 of the UK GDPR, for a data subject not to be subject to automated decision making or profiling to only cases where Special Category Data is used.
Under new article 22A, a decision would qualify as being “based solely on automated processing” if there was “no meaningful human involvement in the taking of the decision”. This could give the green light to companies to use AI techniques on personal data scraped from the internet for the purposes of pre employment background checks. 

International Transfers: The new Bill maintains most of the DP Bill’s international transfer provisions. There will be a new approach to the test for adequacy applied by the UK Government to countries (and international organisations) and when Data Controllers are carrying out a Transfer Impact Assessment or TIA. The threshold for this new “data protection test” will be whether a jurisdiction offers protection that is “not materially lower” than under the UK GDPR 

Health and Social Care Information: The new Bill maintains, without any changes, the provisions that establish consistent information standards for health and adult social care IT systems in England, enabling the creation of unified medical records accessible across all related services. 

PECR Changes: One of the most significant changes, copied from the DP Bill, is the increase in fines for breaches of PECR, from £500,000 to UK GDPR levels; meaning organisations could face fines of up to  up to £17.5m of 4% of global annual turnover (whichever is higher) for the most serious infringements. Other changes include allowing cookies to be used without consent for the purposes of web analytics and to install automatic software updates.  

What is not in the new Bill? 

Most of the controversial parts of the DP Bill have been have not made it into the new Bill. These include: 

  • Replacing the terms “manifestly unfounded” or “excessive” requests, in Article 12 of the UK GDPR, with “vexatious” or “excessive” requests. Explanation and examples of such requests would also have been included.  
  • Exempting all controllers and processors from the duty to maintain a ROPA, under Article 30, unless they are carrying out high risk processing activities.  
  • The “strategic priorities” mechanism, which would have allowed the Secretary of State to set binding priorities for the Information Commissioner. 
  • The requirements for the Information Commissioner to submit codes of practice to the Secretary of State for review and recommendations.  

The Data Use and Access Bill, in its current form, will not fundamentally change UK data protection laws. This is unlikely to change during its passage through Parliament as most of its provisions are copied from the DP Bill introduced by those who are now the official Opposition.  

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today!

Want more detail about the Bill and how it will affect your organisation? See our forthcoming  DUA Bill workshop. 

Are you a privacy professional wishing to advance your career in 2025? The Advanced Certificate in GDPR Practice is designed for experienced DPOs seeking to refine and expand their DPO skills and expertise. The course comprises of a rigorous set of engaging masterclasses that teach you to dissect complex data protection scenarios and give practical compliance advice. This immersive experience will empower you with the skills and confidence needed to tackle the most challenging data protection projects within your organisation 

RAC Employees Sentenced for Selling Personal Data 

On 8th October 2024, two former RAC employees were sentenced for unlawfully copying and selling over 29,500 lines of personal information.  

The two former employees worked as customer service specialists at the RAC’s call centre in Stretford. Their unlawful conduct was discovered by the RAC after it installed new security monitoring software. The software showed employee one of them had unlawfully accessed and copied personal information relating to people involved in road traffic accidents. A subsequent search of  employee one’s mobile phone showed the information was shared in a WhatsApp chat with employee two. Messages indicated that a third party was paying for the information. 

At a hearing at Minshull Street Crown Court on 8 October 2024, both former employees were sentenced to 6 month prison sentences, suspended for 18 months, and each were ordered to complete 150 hours of unpaid work. Both defendants had previously pleaded guilty to offences under the Computer Misuse Act 1990 and Data Protection Act 2018. Prosecution costs will be considered at a Proceeds of Crime hearing listed for 5 March 2025. 

Section 55 of the old Data Protection Act 1998 can still be used to bring a prosecution where an offence pre-dates the current Section 170 of the Data Protection Act 2018, as in the above case. It is interesting to note that the ICO also cited section 1 of the Computer Misuse Act 1990 which carries a maximum of 2 years imprisonment on indictment.   

In June 2023, the Information Commissioner’s Office (ICO) disclosed that, since 1st June 2018, 92 cases involving Section 170 offences were investigated by its Criminal Investigations Team. The most recent of these was in September 2024, when an employee pleaded guilty to retaining and selling 3,600 pieces of customer records obtained from the car leasing company he worked for. He was ordered to pay a fine of £1,200 and £300 costs. 

It is important to note that, if a disgruntled or rogue employee commits a data protection offence, the employer may also be liable for the consequences. More on our recent blog on this subject. 

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today! 

When Oasis met GDPR

To celebrate the Gallagher brothers new tour, we asked ChatGPT to compose a poem about privacy using Oasis song titles. How many can you spot? Answers in comments.

In the wonderwall of data, we stand tall, Guarding our privacy, one and all. 

With champagne supernovadreams, we strive, To keep our personal info alive.

Don’t look back in anger, they say, As we navigate the GDPR way. 

Our supersonic rights, clear and bright, In the digital world, we fight the good fight.

Live forever in a world that’s free, From breaches and leaks, let it be. 

With some might say, we take a stand, For privacy laws across the land.

In this morning glory, we find our way, To protect our data, come what may. 

So let’s embrace the GDPR light, And keep our privacy shining bright.

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today! 

ICO 5th Call for Evidence on Generative AI 

Recently we wrote about how “How Generative AI’s Data Appetite is Fuelling Privacy Battles.” Last week the Information Commissioner’s Office (ICO) published its fifth call for evidence on Generative AI.  This call focuses on the allocation of accountability for data protection compliance across the generative AI supply chain. It is part of the ICO’s consultation series on generative AI ICO consultation series on generative AI and data protection

The fifth call for evidence addresses the recommendation for ICO guidance on the allocation of accountability in AI as a Service (AIaaS) contexts made in Sir Patrick Vallance’s Pro-innovation Regulation of Technologies Review.  
 
The allocation of accountability is complicated because of the different ways in which generative AI models, applications and services are developed, used and disseminated, but also the different levels of control and accountability that participating organisations may have.  
 
The ICO is interested in additional evidence on how this works in practice. In the meantime, it provides a summary of our current analysis, the policy positions we want to consult on and some examples which show how this analysis could be applied in practice.  
 
The deadline for submissions is 18th  September 2024.  

Enjoy reading our blog? Help us reach 10,000 subscribers by subscribing today! 
 
Join our Artificial Intelligence and Machine Learning, How to Implement Good Information Governance workshop for hands-on insights, key resource awareness, and best practices, ensuring you’re ready to navigate AI complexities fairly and lawfully.