Guest editorial – Manuela Finger

We are now close to the end of 2024, but changes in the areas of data protection, technology and cyber security law show no sign of slowing down. I'm pleased to be the guest editor for this latest issue of Data Diaries, which will give you a taster of some of the interesting developments that Addleshaw Goddard's data team in the EU and the UK are advising on.

Deciding questions referred by a German court, the EU Court of Justice decided that a business can  challenge a competitor's GDPR breaches through an action for unfair commercial practices. My UK colleagues are closely following the new Labour government's proposals to reform UK data protection law, following two bills launched by the previous government which failed to become law. Back in the EU, there have been multiple important legal developments impacting technology and data, including the deadline for the member states' implementation of the NIS 2 Directive and its security regulations, and the adoption of the Cyber Resilience Act. While we wait for the EU AI Act to become applicable, over 100 companies have signed the EU AI Pact, which contains voluntary commitments to start applying the Act's principles ahead of its entry into application. In addition, the European Commission is consulting on the first General-Purpose AI Code of Practice and the European Data Protection Board is consulting on the data protection aspects of AI models, with a view to publishing a consistency opinion by the end of 2024.

I hope that you enjoy our bulletin – please get in touch with me or another member of our data team if you would like more information about any of the topics covered.

Manuela Finger is a partner in Addleshaw Goddard's IP/IT, Data Protection & Commercial team, based in our Munich office.

Click on the links below to read more:

• Lindenapotheke decision – wide scope of health data and competitor action
• The Data (Use and Access) Bill
• Cyber legislation update
• NIS2 update
• AI regulation update

Lindenapotheke decision – wide scope of health data and competitor action

The Court of Justice of the European Union (CJEU), upon referral from the German Bundesgerichtshof, has in the context of a legal dispute between two pharmacists over the online distribution of prescription drugs issued a landmark decision (C-21/23 - Lindenapotheke) that expands the interpretation of what constitutes health data under GDPR, and confirming the possibility of competitors of invoking breaches of GDPR under national law.

• Wide Scope of Health Data

The CJEU confirmed the broad interpretation of special category data and found that personal data provided in the course of online orders of pharmacy-only products constitutes health data, even if no medical prescription is required.

The Court’s rationale for extending protection beyond explicit medical information to such information is that such data can infer health details through deduction or comparison. The mere association between the individual and the therapeutic use of the product the individual purchased is sufficient to establish health data, even if the is no certainty that the product is intended for the customer or someone else. As a result, all data linking a person to a medicinal product fall under the stringent protection afforded to health data.

The case concerns pharmacy-only medicines which may cause inconsistent case-law in Member States depending on whether certain products are pharmacy-only or not, which can vary in Member States.

The Court did not follow the AG’s Opinion who had suggested a more purpose and context specific approach against the background that the same reasoning could be relevant to other products that potentially indirectly reveal information about e.g. health or religion such as gluten-free or halal products, concluding that the vast extension of special category data would be unmanageable and undesirable. The effects of the CJEU’s decision remain to be seen.

• Competitor action under national legislation

The Court also confirmed that GDPR does not conflict with national laws that allow competitors to take action for GDPR violations on the basis of national law on unfair commercial practices, in that case the concept of an act of unfair competition by violating “the law”. According to the Court, such national law is compatible with GDPR, does not affect consistent protection of data subjects in the EU, and contributes to a high level of data protection.

Even though competitor action undoubtedly promotes enforcement, it may pose a potential hindrance even for careful and law-abiding entrepreneurs, especially given the broad scope of application of the GDPR and some vague definitions. The German courts are thus called upon not to generally affirm the requirements of the Act against Unfair Competition in case of GDPR violations, but to carefully examine whether the violation is likely to noticeably harm the interests of consumers, other market participants or competitors as required by the law.

The Data (Use and Access) Bill

In the United Kingdom, the Data (Use and Access) Bill was published and received its first reading in the House of Lords on 23 October. The previous government was close to finalising legislation to reform UK data protection law, but the bill fell when the general election was called in June. The new Bill replicates many of the proposals from the previous bill, with some changes. The key points that will affect organisations within the scope of UK data protection law are:

• Complaints procedure - the Bill introduces an obligation for controllers to facilitate the making of complaints by taking steps such as providing a complaint form which can be completed electronically, acknowledge complaints within 30 days and respond without due delay.
• DSARs – the Bill confirms that:
  • controllers who process a large quantity of personal data about the data subject have the right to require further information to clarify the identify the information or processing activities to which a DSAR relates, which stops the clock until the data subject provides the information; and
  • the controller only needs to carry out a reasonable and proportionate search.
• Transparency: the Bill amends Articles 13 and 14 of the UK GDPR (the transparency obligations) so that when the controller is processing personal data for research, archiving or statistical purposes it does not have to provide the information if providing it is impossible or would involve a disproportionate effort.
• Automated decision-making: significant decisions based on automated processing of special category data must be based on explicit consent, contractual necessity or substantial public interest. Other automated decision-making is permitted, subject to safeguards.
• International transfers: the Bill changes the "data protection test" for assessing whether countries provide adequate protection for personal data from "essentially equivalent" to "not materially lower".
• The Bill creates a category of recognised legitimate interests for which no legitimate interests assessment is required.
• The Bill makes a number of changes to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR):
  • The Bill provides that consent is not required for certain low-risk cookies, i.e. those that are:
    • strictly necessary for provision of information society service requested by the user;
    • for statistical purposes;
    • for functionality; or
    • for emergency assistance.
  • The Bill brings fines for PECR breaches into line with UK GDPR, plus officers can be fined if the breach takes place with their consent or connivance or is attributable to neglect on their part.
  • The deadline for providers of public electronic communications services to inform the Commissioner of PECR breaches is changed from "without undue delay" to within 72 hours.
• The following provisions, which were in the previous bill, have been dropped:
  • The change from DPO to SRI (Senior Responsible Individual);
  • Proposed relaxations of the requirements relating to DPIAs and RoPAs; and
  • The change in the test for when controllers could refuse to respond to DSARs from "manifestly unfounded" to "vexatious or excessive".

The changes requiring banks to give the government information about the bank accounts of benefits recipients are not in this Bill but it appears that they will be contained in the Fraud, Error and Debt Bill announced in the Autumn Budget.

The Bill passed its second reading in the House of Lords on 19 November, and is currently going through committee stage. It is expected to receive Royal Assent in spring 2025 and enter into force later in the year. We will monitor developments closely and provide updates in due course.

Cyber legislation update

EU Cyber Resilience Act coming into force

The Cyber Resilience Act (CRA) was published in the EU Official Journal on 20 November. The CRA is an EU regulation which will apply to hardware and software products that are connected either directly or indirectly to another device or to a network, subject to some limited exceptions. It introduces EU-wide cybersecurity requirements for the design, development, production and making available on the market of such products. These requirements include:

• Design obligations on manufacturers:
  • providing secure by default configuration
  • ensuring that vulnerabilities can be easily addressed via security updates
• Obligations on importers to ensure that the manufacturer has complied with its design obligations and take corrective measures to bring a product into conformity with the essential requirements, or to withdraw or recall the product as appropriate
• Obligations on distributors to act with due care and to verify that any in-scope product bears an appropriate CE marking before making that product available on the market, and that the manufacturer and importer have complied with certain obligations, take corrective measures to bring a product into conformity with the essential requirements, or to withdraw or recall the product as appropriate

The CRA will come into force on 10 December 2024 and then become fully applicable in December 2027, although certain provisions will become applicable sooner.

NIS2 update

Member state implementation

The EU member states were due to have implemented the NIS2 Directive, which expands on the existing NIS (Network and Information Systems) Directive, by 17 October 2024. However, at the time of publication, only four member states have done so. On 28 November, the European Commission announced that it is opening infringement proceedings against the remaining 23 member states, giving them two months to complete their transposition of the Directive into national law.  

NIS2 requires entities which operate in critical and highly critical sectors, including energy, transport, health, water, banking, financial market infrastructures, digital infrastructure, ICT service management, public administration, space and food, to:

• take appropriate and proportionate technical, operational and organisation measures to manage risks to the security of the network and information systems they use for their operations or to provide their services; and
• report incidents which have caused or may cause severe operational disruption of their services, financial loss or considerable damage.

Implementing Regulation

On 17 October the European Commission adopted an Implementing Regulation setting out the technical and methodological requirements of cybersecurity risk management measures, and criteria for what is considered a significant incident, for certain relevant entities under the NIS2 Directive. This covers:

• Article 2 and the Annex set out the risk management requirements, which provide more details for the requirements set out in Article 21(2) of the NIS2 Directive. These include:
  • policies on risk analysis and information system security
  • Incident handling
  • business continuity, such as backup management and disaster recovery, and crisis managementsupply chain security, including
  • security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
  • security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
  • policies and procedures to assess the effectiveness of cybersecurity risk-management measures
  • basic cyber hygiene practices and cybersecurity training
  • policies and procedures regarding the use of cryptography and encryption
  • human resources security, access control policies and asset management
  • multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems
• Article 3 sets out the criteria of which one or more need to be fulfilled for an incident to be considered significant, triggering the reporting requirements under Article 23 of the NIS2 Directive.
• Articles 5 to 14 set out the qualifying criteria that applies to particular categories of relevant entities only (DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers and managed security service providers, online marketplaces, online search engines, social networking services platforms and trust service providers).

The UK position - the Cyber Security and Resilience Bill

While the UK implemented the original NIS Directive in the NIS Regulations, it will not implement NIS2. However, the UK government is due to introduce a Cyber Security and Resilience Bill in 2025, which will:

• expand the remit of the NIS Regulations to protect more digital services and supply chains;
• put regulators on a strong footing to ensure essential cyber safety measures are being implemented; and
• mandate increased incident reporting to give government better data on ransomware and other cyber attacks.

AI regulation update 

EU AI Pact

On 25 September the European Commission announced that over 100 companies have signed the EU AI Pact, which contains voluntary commitments to start applying the principles of the EU AI Act ahead of its entry into application, which will take place in stages between February 2025 and August 2027. The Pact calls on participating companies to commit to at least three core actions:

• AI governance strategy to foster the uptake of AI in the organisation and work towards future compliance with the AI Act.
• High-risk AI systems mapping: Identifying AI systems likely to be categorised as high-risk under the AI Act
• Promoting AI literacy and awareness among staff, ensuring ethical and responsible AI development.

European Commission consulting on General-Purpose AI Code of Practice

The European Commission is running a consultation on the first General-Purpose AI Code of Practice, which will set out details of what steps providers of general-purpose AI models need to take to comply with their obligations under the EU AI Act. The consultation covers:

• General-purpose AI models: transparency and copyright-related provisions
• General-purpose AI models with systemic risk: risk taxonomy, assessment and mitigation
• Reviewing and monitoring the Codes of Practice for general-purpose AI models

The deadline for submitting responses has passed, and the Commission is expected to publish a summary of the results and then the Code of Practice in due course.

European Data Protection Board developing consistency opinion on AI models

On 5 November the EDPB held a stakeholder event to consult on the consistency opinion on how the GDPR applies to AI models that it is due to publish by the end of 2024. It appears that this opinion will focus solely on the GDPR and will not consider how this interacts with the EU AI Act. Participants considered questions including:

• When AI models are trained using personal data, how can one evaluate whether they still process personal data and assess the risks?
• If relying on legitimate interests as the lawful basis for processing personal data in AI models, how does the balancing test work?
• In particular, what measures should be put in place to ensure that data subjects' rights and freedoms are balanced against the controller's interests?

We will watch out for the publication of the EDPB opinion and report in a future issue of Data Diaries.

UK position

In the King's Speech in July, the government stated that it will seek to establish the appropriate legislation to place requirements on those working to develop the most powerful artificial intelligence models. No further information is available at present. In the meantime, UK organisations should bear in mind that the EU AI Act has a wide territorial scope, so if they develop, manufacture, distribute or deploy an AI system or its output in the EU, they should consider whether they need to comply.