There's rarely a quiet week in data protection — and this one was no exception. Below are three developments from the past seven days that caught my eye.
Story #1: Children left to their own devices
The Kids Are Alright.
Well, not so fast. A report issued last week by Ofcom, the UK’s communications and online safety regulator, revealed that a quarter of children in Britain aged between five and seven own a smartphone.
To be clear, we’re not talking about using an adult’s device. We’re also not talking about tablets. These kids have their own phone.
The report also found that half of children under the age of 13 use social media; that 65% of those between five and seven go online to send messages or make videos calls; and 30% of parents would allow their kids to set up a social media profile before the age restrictions imposed by most platforms (typically, 13).
*****
It’s easy to be sanctimonious about this stuff.
Yes, it seems crazy to buy your five year old their own phone. Or to allow a seven year old on social media.
But parents are doing it for a reason — one that’s not difficult to understand. Who among us hasn’t given the kids their device in the hope of getting a little respite from the parental grind? I did it just this weekend.
*****
Whatever your view, the direction of travel is clear: kids are engaging with technology, in some form, from the earliest stages of their lives.
That demand is being met by a whole range of products and services. Some are very good — others, not so much. But most of them process their users' personal data.
Earlier this month, the UK ICO published the "Children's Code Strategy", in which the Commissioner set out his priorities for protecting children’s data online in 2024 and 2025.
The Strategy builds on the ICO's Children's code, which contains 15 standards that online services (e.g., apps, games, connected devices) need to follow to meet their UK GDPR obligations.
Although the Strategy is aimed at social media and video sharing platforms, its areas of focus should be mandatory reading for all organisations that process children's data in the online context: (1) default privacy and geolocation settings; (2) profiling children for targeted ads; (3) using children's data in algorithmically generated content feeds; and (4) obtaining parental consent for personal data processing.
*****
Children’s data is a key regulatory priority for the ICO. The same is true for many European data protection regulators. And parents.
For that reason, I suspect that we're going to see enforcement in the not too distant future, so watch this space. Perhaps just not on your child’s phone.
Story #2: The known knowns of GDPR enforcement
A common request from clients is to intuit how a regulator might react to [insert a given scenario].
This will usually be framed in the context of a challenging situation (breaches, contentious rights requests, complaints), but not always. The common thread is that the client is not looking for a recitation of the law and guidance; they need something informed and based on practical experience. (For what it's worth, there’s rarely a question to which regurgitating the law is a sufficient answer.)
*****
This exercise requires weighing the knowns, the semi-knowns and the unknowns in order to make a predictive assessment. It's one of my favourite things to do as a lawyer.
Although there will inevitably be an element (sometimes small, sometimes not) of educated guesswork, companies have at least one firm data point on which to rely: how often does the regulator enforce?
Numbers on a page are necessarily a blunt instrument, and each decision turns on its own facts. Nevertheless, we can apply Mark Twain’s line about history (that it doesn’t repeat but often rhymes). There are a finite number of GDPR articles to violate — and although, like Chekhovian unhappy families, all violations are different, there are themes in non-compliance.
*****
On Monday, the European Data Protection Board released its Annual Report for 2023.
Among other things, the report contains a table listing the number and total value of fines issued by supervisory authorities in 2023 and highlights of each authority's enforcement activity (including non-monetary penalties issued).
Do the numbers tell us anything that we didn’t already know?
A small number of DPAs — those in Spain, Germany and Italy — continue to do the heavy lifting on GDPR enforcement (at least in the number of fines issued). And Ireland, France and the Netherlands have the blockbuster fines. Plus ça change.
But when you use these numbers as a starting point, and combine them with data from the platforms that host the details of most, if not all, GDPR enforcement actions (a shout out to GDPRhub and GDPR Enforcement Tracker, here), it's possible to build a picture of enforcement by GDPR article, industry and sanction issued.
*****
Of course, this is only part of the picture. And past regulatory results don't guarantee future performance. But when assessing the known unknowns, being able to point to a known known is a good place to start.
Story #3: The LIBE threatens UK adequacy
“[D]espite having a lot of capacity and resources, ICO enforcement is currently rather weak … In practice, this means that a large number of breaches of data protection law in the UK have therefore not been remedied.”
There we go. The first — official — shots have been fired from Brussels in the will-they-or-won’t-they saga over the renewal of the UK's data adequacy decision.
*****
On Monday, the LIBE Committee of the European Parliament, which deals with data protection (among other things), submitted written evidence to the House of Lords committee that is assessing the UK's adequacy arrangement.
The LIBE is an influential — and informed — voice in European politics, but its opinion won’t necessarily carry the day. Indeed, the LIBE was a vocal critic of granting the UK adequacy back in 2021, and that didn’t stop it happening.
Its evidence is short (less than ten pages) and easy to understand. In a nutshell, the LIBE is primarily concerned (we'll return to this) about: (1) the DPDIB weakening data protection rights and the ICO's independence; and (2) onward transfers to countries that the European Commission does not consider adequate. There's also the criticism of ICO enforcement that forms the quote at the top of this post.
And so, if the DPDIB passes in its current form, would that be fatal for the UK’s adequacy finding?
Notwithstanding the grandstanding that is an inevitable part of this process (and of which we will see a *lot* more of in the next 12 months — from both sides of the Channel, let it be said), the LIBE's letter suggests that the answer is “yes”. The letter doesn't say that explicitly, of course. But it uses some version of the word “concerned” 11 times — concerns that would inevitably harden were the DPDIB to become law.
*****
Is there an element of doublethink here?
It's true that the ICO is criticised in the UK for its lack of enforcement. But as I wrote yesterday, the annual report issued by the EDPB this week shows that GDPR enforcement is also patchy across Europe. This isn't a uniquely British problem.
Similarly, the UK may consider that, as a sovereign nation, it would resist being held to ransom regarding the drafting of its laws and bilateral agreements. And if losing its own adequacy decision was the price to pay, then so be it.
All of this will play out in the coming months, so stay tuned.
Subscribe to Ropes & Gray Viewpoints by topic here.
Authors
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.