norm. data protection bulletin: 03rd November 2023

ICO serves enforcement notice for using AI without considering data protection obligations

On 8 October 2023 the ICO issued Snapchat with a preliminary enforcement notice over potential failure to properly assess the privacy risks posed by its generative AI chatbot ‘My AI’. The ICO investigation provisionally found the organisation failed to adequately identify and assess the risks to its users in the UK. In other words, Snapchat did not carry out a sufficient Data Protection Impact Assessment (DPIA).

The ICO said: “We have been clear that organisations must consider the risks associated with AI, alongside the benefits. Today’s preliminary enforcement notice shows we will take action in order to protect UK consumers’ privacy rights.”

This follows an ICO reminder to companies developing or using generative AI that they should be considering their data protection obligations from the outset by conducting a DPIA.

Low-level data breach claims – recoverable costs

From 1 October 2023, fixed recoverable costs (FRC) were extended across the fast track, and a new intermediate track for cases valued up to £100,000 was introduced to cover less complex multi-track cases valued under £100,000. This new FRC regime will significantly impact low-level data breach claims, as the parties can now only recover smaller, fixed amounts than they would otherwise have previously.

It is widely recognised that actual damages in these claims often bear no relation to the often-inflated damages claimed. As a result, such claims are usually allocated to the small claims track. However, for those claims which are not allocated to the small claims track, the extension of the FRC regime will limit costs given and there will no longer be assessment of costs on the standard basis. Often, claimants add further heads of claim to increase complexity and bring a claim out of the small claims track to recover costs. Now, as the FRC regime covers both the fast track and the new intermediate track, many data protection-based claims will most likely fall in to the new FRC regime. 

This development should disincentivise those who bring data breach claims.

FCA fines Equifax £11 million for role in one of the largest cyber-security breaches in history

The FCA has fined Equifax Ltd (Equifax) £11,164,400 for failing to manage and monitor the security of UK consumer data it had outsourced to its parent company based in the US. The breach allowed hackers to access the personal data of millions of people and exposed UK consumers to the risk of financial crime. 

For more information, see here.

ICO’s Responsibilities re Subject Access Requests

BD submitted a SAR, in response to which BD was provided with copies of some documents, but the organisation declined to provide much of the data sought (on the basis that it was exempt from doing so under the UK’s money laundering rules). BD complained to the ICO which investigated and advised the claimant that the organisation had complied with its obligations and made it clear that no action would be taken. BD brought a claim for judicial review which was dismissed. BD appealed to the Court of Appeal (CA), which decided that:

• the treatment of complaints is within the ICO’s exclusive discretion; and
• the ICO had complied with all of its obligations;
• the ICO’s decisions were ‘completely lawful, both in substance and procedurally’; and
• the ICO was under no obligation to seek further materials or to reach a conclusive determination as to whether the organisation concerned had complied with its obligations (it was sufficient for the ICO ‘to conclude on the basis of the available informationthat it appeared likely that the organisation had so complied’).

This case is the first time the courts have considered the scope of the ICO’s powers when handling SAR complaints. The CA’s decision shows that the ICO is not obliged to investigate every complaint, and that it may be more appropriate – in some cases – to take other action, such as providing advice or guidance.

The judgment clarifies that a complaint to the ICO does not preclude a civil claim being brought against a data controller.