Download the PDF
Data trends 2024
Data trends 2024
Chapter 5: Changes in data privacy and cyber enforcement
By Rachael Annear, Robert Barton, Richard Bird, Laéna Bouafy, Tochukwu Egenti, Adam Gillert, Timothy Howard, Michael Schwaab and Christoph Werkmeister
IN BRIEF
The digital age has brought about intensified scrutiny of data privacy and cyber regulations globally. From varying penalty systems to emerging legislative patterns, these trends signify the evolving priorities of regulators safeguarding data privacy and cybersecurity. Understanding recent privacy and cyber enforcement trends across the US, UK, and EU, provides critical insight for businesses navigating this intricate regulatory landscape.
Over the past year, we have observed an evolution in enforcement postures across those jurisdictions. The US has extended its focus on non-monetary remedies, including the deletion of algorithms developed from improperly obtained data and personal consequences for executives. The UK has moved from headline grabbing fines to an outcomes-based approach, emphasising enforcement variety rather than just monetary penalties. Meanwhile, the EU continues to grapple with the maturation of the GDPR, with enforcement including not only (record) fines, but also diverse corrective measures.
Federal regulators in the US have recently pursued creative and sometimes controversial remedies in enforcing data and cyber regulations.
Timothy Howard
Partner
In a March 2022 settlement with the Federal Trade Commission (FTC), in addition to paying a US$1.5m penalty, a company agreed to delete both the personal data of children that it had allegedly improperly obtained and any algorithms and models developed using that personal data. This follows on a similar consent order issued in 2021 against a photo storage service.
As part of its January 2023 consent order with Drizly Inc. and CEO James Rellas involving the company’s alleged failure to use appropriate information security practices, the FTC issued detailed requirements for the information security program of any company for which Rellas is a majority owner or senior officer for ten years following the entry of the order.
In May 2023, a former Chief Information Security Officer (CISO) was sentenced to three years’ probation and fined after being convicted of charges related to obstruction in connection with an FTC investigation. The CISO is alleged to have taken steps to conceal information from the FTC regarding a second breach that he learned of during the agency’s investigation of a prior breach, both of which exposed personal data.
The anticipated flurry of major fines, which was expected after the UK data regulator, the ICO, imposed double-digit million-pound fines in 2020, has not materialised and, instead, the ICO’s recent approach has been to focus on outcomes, rather than punishment.
In a speech in November 2022, John Edwards, the Information Commissioner since January 2022, stated that:
There’s nothing in the law that says that enforcement must equal fines. Enforcement happens across a spectrum. Rather than being one thing, it’s a series of graduated responses to non-compliance.
This indicated the shift in approach from heavy fines for non-compliance, to an outcomes-based approach where the most appropriate enforcement steps are taken to ensure that the best outcome is chosen. Under this approach, where a company takes the right remedial steps in good time to correct their privacy shortcomings, a public reprimand may be deemed more appropriate than a large fine. However, where the same company has repeatedly breached their obligations under privacy laws, or where there is a particularly serious breach, reprimands alone may not be sufficient. In John Edwards’ words, ‘monetary penalties remain an important regulatory tool and we will use them in instances where they are truly needed’.
In November 2022, the ICO published its ICO25 strategic plan and its regulatory approach, which focuses on a number of priorities, including safeguarding vulnerable individuals. Reflecting this focus, in August 2023, the ICO announced that it will evaluate the cookie banners of the most frequently visited websites in the UK and take action where it finds that harmful design is impacting users.
We expect UK enforcement action against cookies to be focused on complicated privacy controls, default settings that give less control over personal data, and bundling of privacy choices to nudge consumers to share more data.
Tochukwu Egenti
Associate
In the UK the use of cookies is primarily regulated by the Privacy and Electronic Communications Regulations (PECR). One of the changes being introduced by the UK Data Protection and Digital Information Bill is to increase the maximum level of fines the ICO can issue for breaches of PECR, from £500,000 to the higher of 4% of worldwide turnover, or £17.5m (ie, the maximum penalty under the UK GDPR). Therefore, if this Bill is passed, we can expect to see much higher fines for breaches of PECR, especially with the ICO’s renewed focus.
(Source: Freshfields data)
Since the introduction of the EU’s General Data Protection Regulation (GDPR) five years ago, the EU GDPR’s enforcement regime has exhibited an evolving maturity with an impressive record of financial sanctions but also a broader spectrum of corrective measures on the horizon. Fines have particularly impacted technology companies. While fines have made headlines, the EU’s GDPR empowers DPAs with diverse corrective measures. Limitations on processing, for instance, could have a more profound business impact than financial penalties.
Data transfers to the US have been heavily scrutinised by EU DPAs in recent years, given the conclusion of the EU Court of Justice in 2020 that the US does not offer a sufficient level of protection for personal data. In this context, DPAs raised the concern that organisations often do not implement sufficient additional technical and/or organisational measures when relying on standard contractual clauses (which are one of the most common transfer mechanisms relied on).
A new EU-US Data Privacy Framework (EU-US DPF) was adopted in July 2023 to facilitate personal data transfers to US entities participating in that scheme. Given the continued uncertainty over whether the EU-US DPF will survive an expected legal challenge (and other limitations) it is likely that many personal data transfers to the US will continue to rely on other mechanisms such as standard contractual clauses.
It remains to be seen how the various additional safeguards and recourse mechanisms introduced by the US to support the new EU-US DPF, but which also have relevance to other common transfer mechanisms, will be reflected in future regulatory decisions.
Regarding cookie banners, in particular various forms of nudging are regularly criticised by EU DPAs. Examples include cookie banners that use a traffic light-like colour and design scheme (‘accept all’ = green button; ‘reject all’ = red button) or which make rejection of cookies more onerous than accepting them.
The French DPA has been particularly pro-active in enforcing against cookie banners and imposed over €400m of fines in recent years in relation to alleged violations of cookie laws.
Companies, especially those with a French user base, should therefore consider auditing their cookie banners to ensure they are compliant.
Recent decisions confirm the French DPA’s severity with regard to cookie and other tracers’ violations and remind companies of all sizes of the importance of compliance with applicable requirements. The French DPA is paying particular attention to ‘dark patterns’, ‘tracer walls’ and alternatives to third-party cookies used to circumvent limitations on the deposit of cookies (‘fingerprinting’, ‘single sign-on’ etc). See our blog post on this for further background.
Laéna Bouafy
Associate
The enforcement trends outlined above show the importance of companies and other organisations continuing to place emphasis on compliance with privacy and related laws. There is ample opportunity for regulators on both sides of the Atlantic to impose onerous non-monetary penalties on organisations in addition to, or instead of, heavy fines.
The risk of personal liability for CISOs and other corporate officers not only elevates the stakes for organisational compliance but makes it a personal imperative for executives.
Regulators are demonstrating a concentrated effort to shield the rights of vulnerable individuals, especially children. Companies need to be particularly diligent with data concerning minors, ensuring that any data collection practices are transparent and consensual.
In addition, those companies leveraging AI must maintain their data sources’ integrity and ensure algorithms are built in accordance with privacy law standards.
More generally, companies can expect continued regulatory scrutiny of their online practices, with the UK and EU focusing on cookie-banners and user consent—areas which are often overlooked.
Finally, in the EU, international data transfers are likely to remain a major area of focus from regulators.