Data Protection | UK Regulatory Outlook May 2023

EDPB publishes guide for small businesses

The European Data Protection Board has launched an online guide to aid small businesses' compliance with the General Data Protection Regulation (GDPR). The guide aims to provide accessible and digestible information for small businesses on the basics of data protection and covers the main areas, including data subject rights, data security, records of processing activity and data breach notifications.

Italian Data Protection Authority un-bans ChatGPT

Following the Italian Data Protection Authority's (the Garante) ban of OpenAI's ChatGPT at the end of April, OpenAI has implemented appropriate measures around the protection of personal data for its users in Italy to allow it to be available again.

The authority had accused ChatGPT of unlawfully collecting users' data and failing to prevent underage users from accessing inappropriate material. OpenAI therefore adopted various measures to address these concerns, including expanding the transparency information provided to users, implementing an age verification system and offering an opt-out to both users and the individuals whose personal data is included in the training data.

However, this is not the end of the matter: while the Garante has welcomed OpenAI's steps, it is still assessing ChatGPT. In addition, data protection authorities in various other countries – including Spain, France, Germany and Canada, but not the United Kingdom – have opened investigations into ChatGPT, including how OpenAI collects data to train ChatGPT. We expect the outcome of these investigations will be monitored closely by other companies that own or use large language models.

CJEU case on the right to obtain a copy of personal data

The Court of Justice of the European Union (CJEU) has clarified whether the right of access under Article 15(3) of the GDPR is fulfilled where a controller provides the personal data in the form of a summary table, or if a controller is required to go further and provide document extracts, entire documents, as well as extracts from databases, in which that data is reproduced.

The CJEU held in its judgment that a data subject must be given "a faithful and intelligible reproduction of all the data" and that a controller must therefore provide such documents or extracts if the provision of them is "essential in order to enable the data subject to exercise effectively" its rights.

The clarification is favourable to data subjects. In our experience, the judgment is not far removed from typical market practice in most cases, although in some cases data controllers have taken a narrower view as to what to provide.

Advocate General's opinion addresses issue of strict liability for GDPR fines

Earlier this month, the Advocate General's opinion to the CJEU advised that Article 83 of the GDPR should be interpreted as meaning that a fine can only be imposed in order to sanction a breach of the GDPR which has occurred intentionally or negligently. However, the opinion reiterated that a controller could be fined even if the unlawful processing is carried out by a processor, provided that the processer is acting on the controller's behalf. The Advocate General's opinion is only advisory and we will need to await the CJEU's formal judgment in due course.

The opinion coincides with another case in which the CJEU held that the right for compensation for non-material damage under Article 82 of the GDPR does not automatically arise for every breach of the GDPR.

EU: Parliament plenary to discuss motion for resolution on EU-US DPF adequacy

The debate over the EU-US Data Privacy Framework adequacy within the European Parliament led to MEPs adopting a resolution on 11 May 2023 that voted against the adequacy decision.

In coming to their decision, MEPs cited concerns over a lack of sufficient safeguards in the framework; in particular, concerns arose over (a) the bulk collection of personal data still being possible in certain cases without prior independent authorisation, and (b) a lack of clear rules on data retention. Other aspects noted included transparency and remedies for data subjects.

There were some positive noises but the MEPs called on the European Commission to continue negotiations with the US in the hope that a position can be reached which will not subsequently be struck down by the CJEU. The vote is not binding on the European Commission, and we will continue to monitor developments as the Data Protection Framework approval process moves forward.

Register for Osborne Clarke's annual data forum!

The big event of the year is finally here and our annual data forum is now open for registration. Please access the links (here for London and here for Bristol) for more details and to register your interest.