The past week in data protection

It’s been a busy week in the world of data protection and so a bite sized round-up is in order:

• IAB Europe issued a statement expressing “grave reservations” about the EDPB opinion on "consent or pay". The statement focussed in particular on the economics of online services and the fundamental freedom to conduct a business. It must be said that the EDPB gives those factors very little weight in the opinion.
• Google has announced that its long anticipated phase out of third party cookies has been pushed back to early 2025 at the earliest, noting challenges in reconciling feedback from industry and multiple regulators.
• A group of 670 claimants has issued proceedings against Grindr in the UK, claiming that it unlawfully processed and shared users’ data with third parties (including for advertising purposes) and that such data included sensitive data including details of users’ HIV status. Grindr has denied the allegations, saying they mischaracterise its practices.
• The ICO has lost its appeal to the Upper Tribunal in the long running Experian case. The First Tier Tribunal had previously overturned the majority of the ICO's original Enforcement Notice, finding that legitimate interests was a valid approach and that Experian had largely done enough from a transparency perspective. The UT did not find any errors of law which were sufficient for it to disturb the FTT’s findings.
• In another (!) Schrems v Meta case, an AG Opinion found that meeting the manifestly made public condition for special category data is not enough on its own to justify processing the data for ads purposes. Instead, it merely “lifts” the special protection afforded to the data under Article 9, meaning it must then be assessed as “ordinary” personal data (and therefore needs to be processed lawfully, transparently and proportionally and must meet the purpose limitation obligation).
• Finally, the EDPB has released its organisational strategy for 2024-2027. Interestingly, this notes the need for a common enforcement culture across the EU and supports efforts for a new EU regulation laying down additional procedural rules for GDPR enforcement. It's fair to say that the application of the one stop shop procedure has been the subject of controversy to date, and the EDPB is clearly looking for things to work more smoothly going forwards.

Please do look out for a soon to be released episode of our Legitimately Interesting podcast covering the thorny topic of data retention and deletion.

To mark the release of our annual Data Protection Top 10 publication, we will host an in-person seminar which will cover the most important developments to look out for in the ever-changing world of data protection. Register here!