Data Dispatch - January 2025

Welcome to the latest edition of Data Dispatch from the Data Advisory team at RPC. Our aim is to provide you on a regular basis with an easy-to-digest summary of key developments in data protection law.

Please do feel free to forward on the publication to your colleagues or, better still, recommend that they subscribe to receive the publication directly.

If there are any issues on which you'd like more information (or if you have any questions or feedback), please do let us know or get in touch with your usual contact at RPC.

Data Download

Our Data and Privacy Group will be hosting our exclusive conference, Data Download, on 27 February 2025, with sessions from 2pm. The RPC specialist data teams and the ICO will examine key data protection challenges, from compliance to managing cyber incidents and disputes. Attendees will gain practical insights through an immersive case study, hear directly from Padi Dolatshahi, Principal Lawyer at the ICO, and explore upcoming developments in 2025—all while networking with leading professionals in the field.

For further details and to RSVP, please click here. 

Navigating compliance in Italy: Garante’s Stance on OpenAI’s Gedi Partnership and GDPR Violations.

Italian enforcement action in the generative AI landscape gives insight into how Europe may view collaboration with, and compliance of, AI providers. 

The Italian Data Protection Authority (the “Garante”) issued two important decisions concerning generative AI over the last few months.

The Garante has formally warned the publishing group GEDI in relation to its agreement with OpenAI, which involves sharing GEDI’s editorial content to train OpenAI’s AI algorithms. The key issues included: (i) the risks arising from processing sensitive and judicial data contained in GEDI’s digital archives; (ii) that the data subjects had not been adequately informed about the use of their data or given the opportunity to object; and (iii) GEDI claimed a legitimate interest in using innovative methods for journalistic activities. However, the Garante ruled that this did not justify the transfer of personal data to OpenAI, as the training process falls outside GEDI’s control. The Garante concluded that the data sharing agreement could potentially violate GDPR and warned GEDI of possible sanctions.

In another decision, the Garante fined OpenAI €15 million and ordered it implement several measures concerning the collection of personal data to train generative AI models and respecting data subjects' rights. The Garante found OpenAI responsible for: (i) failing to notify the March 2023 personal data breach to the Garante; (ii) processing users’ personal data to train ChatGPT without a proper lawful basis; (iii) not adequately informing users about the processing of their personal data, including using that data to train its AI model; (iv) not implementing an adequate age-verification mechanism; (v) implementing an inadequate awareness campaign, since the one required in 2023 was implemented without having been agreed with the Garante and it was inadequate; and (vi) infringement of the accuracy principle,  owing to inaccurate output data from the AI model..

Just a few days ago, following the launch of DeepSeek, a generative AI tool, the Garante requested information from the Chinese companies that own the tool. This further actions confirm the focus of the Garante on generative AI. 

(Garante order in relation to GEDI)

(Garante decision in relation to OpenAI)

This article was authored by Laura Liguori of Portolano Cavallo in Italy, providing insights into the Italian regulatory approach to generative AI.

Data Protection in Generative AI: Perspectives from the ICO and the EDPB.

Insights from UK and EU Authorities on Ensuring Responsible Generative AI Development and Operation.

The use of personal data in the development and operation of generative AI models is a significant area of concern for data protection authorities. Both the UK’s Information Commissioner’s Office ("ICO") and the European Data Protection Board ("EDPB") have published guidance on how these technologies should align with existing data protection laws.

In December 2024, the ICO published a report outlining its stance on generative AI following its public consultation which garnered over 200 responses. The report highlighted several key areas including: (i) the lawful basis for using web-scraped data to train AI models; (ii) determining the data protection roles of entities in the AI supply chain; and (iii) the engineering of individual rights into generative AI models. The ICO found that a lack of transparency around how generative AI uses public data has eroded trust in AI systems, calling on AI developers to be more transparent about their data practices including clarifying: (i) what personal information is being collected; (ii) how it is being used; and (iii) how individuals and publishers can better understand these processes.

The ICO emphasised that while generative AI holds significant potential for the UK, it must be used responsibly and in accordance with data protection laws. Developers are urged to ensure that the personal data used to train these models is obtained lawfully, and that mechanisms for exercising individual rights are built into the models themselves.

Meanwhile, the Irish DPC has sought guidance from the EDPB to harmonise the regulatory framework across Europe on the use of personal data for AI training, developing and operation. The EDPB's opinion addressed questions about the anonymisation of AI models, the use of legitimate interest as a legal basis for processing, and the consequences of using unlawfully processed personal data in AI development and deployment.

The EDPB guidance suggests that the compliance of AI models must be evaluated on a case-by-case basis, deferring to local data protection authorities' judgment; it provides a non-exhaustive list of methods for data protection authorities to assess and demonstrate the anonymity of data in AI models.

The guidance also focuses on the validation of the legitimate interest lawful basis for AI model's development and deployment. It confirmed that legitimate interests could be a valid lawful basis for both developing and deploying AI models, as long as the balancing test favours the data controller’s or a third party's interests over the rights of data subjects, taking into account mitigatory measures. The EDPB has suggested to controllers that publishing this test may assist with increasing transparency and fairness.

Businesses which are considering or already do deploy or provide AI systems should review the relevant guidance in order to update their data protection compliance programmes.

(ICO's opinion on Generative AI developers)

(Opinion 28/2024 on certain data protection aspects related  to the processing of personal data in the context of AI models)

Exploring the ICO's Draft Guidance on Storage and Access Technologies

An overview of the ICO’s latest proposed guidelines for businesses on storage and access technologies.

The Information Commissioner’s Office (ICO) has published a draft update to its guidance on storage and access technologies, crucial for businesses in digital marketing and data management.

This final version will impact how organisations handle user data, aligning with current regulatory standards and legal developments. It is proposed that the guidance will cover a broader range of technologies beyond traditional cookies. Key updates include a structured approach with "must," "should," or "could" directives, integrating insights from recent case law and ICO positions, especially on online advertising norms.

The expanded coverage of PECR-regulated technologies offers detailed rules and examples, clarifying interactions with UK GDPR. A new chapter on consent management highlights practical strategies and common pitfalls for businesses implementing consent collection mechanisms such as cookie banners. Transparency and user consent are emphasised as central principles, with organisations urged to provide clear explanations and genuine choices regarding technologies like cookies.

The ICO is seeking public feedback until 5pm on Friday 14 March 2025.

(ICO guidance on the use of storage and access technologies)