Data Protection updates – May and June 2023

A slightly different article this time in that we are providing a snapshot of recent data protection news. An eyeopener for companies to think about when contemplating their own data protection compliance.

May 2023

Meta, the owner of Facebook, was fined an astonishing EUR 1.2bn for the mishandling of user’s data. The fine was imposed by Ireland’s Data Protection Commission (“DPC”) – arising from a legal challenge brought by the Austrian privacy campaigner, Max Schrems, over allegations that the Edward Snowden revelations showed that EU users’ data was not sufficiently being protected from US Intelligence agencies when it was being transferred overseas to the US. Alongside the fine, the DPC’s decision stated that Facebook must, within six months from the date of the decision (12th May 2023), ensure that transfers of EU data comply with GDPR.

This ruling does not apply to data transfers on Meta’s other key platforms, Instagram and WhatsApp. Meta intends to contest the decision and request a suspension of the data transfer directive.

The present law, under GDPR, states that when companies transfer data out of the European Union, there is an obligation to ensure that the correct processing mechanisms are in place. The regulator found that the mechanism used in this case, namely Standard Contractual Clauses (“SCC’s”), “did not address the risks to the fundamental rights and freedoms of data subjects that were identified by the courts in its judgement.”

The decision, unsurprisingly, has faced criticism by Meta’s chief executives who stated that they were ‘disappointed to have been singled out’ as many other big companies have these same legal mechanisms in place. A response from the regulator was that they hope that introducing a new framework for transatlantic data transfers will provide US tech giants with stability and legal certainty regard data transfers moving forward.

According to Meta, its services will continue to function even if the arrangement regarding the new transatlantic framework is not established. Previously, the company had warned that a ban could result in the suspension of its European services. Meta also revealed in an investor call last month that terminating the data transfer could result in a potential loss of 10% of its advertising revenue, which is considerably more than the £1bn penalty imposed. As Meta is contesting this verdict, it may need to devise an alternative strategy for handling user data across Facebook and its other platforms – an approach that its rivals will be closely observing. Needless to say, this is not the first time we have seen a ‘big tech’ business being penalised over its data protection conduct and is possibly not the last.




Boots, BBC and British Airways have all reported cyber attacks by a cybercrime group which stole their employees’ personal data. Further, they have also been given ultimatums to pay ransom sums, with the group claiming that if the requested sums are not paid, they will publicise the stolen data.

According to Microsoft, the attack has been traced back to a group that it has named as ‘Lace Tempest’. This group is recognised for using a type of ransomware called Clop, as well as publishing announcements of their activities on the dark web where they showcase their ill-gotten gains and threaten to publish the stolen information of affected individuals.

Posted on the Clop dark web site, the hackers wrote that for companies who use MOVEit (the breached software used to move sensitive data like employee addresses and bank details safely) there is a chance that they have downloaded a lot of data as part of their ‘exceptional exploit.’ Whilst the three ‘B’s’ are likely to have strong data protection mechanisms in place to circumvent such attacks, it is a stark reminder for companies to recognise and analyse the data security measures of their third party software solution systems.

The media regulator, Ofcom, published a report on 12th June 2023 which stated 418 of their own employee’s data had been breached. They also confirmed that they had taken immediate action to prevent further use of the MOVEit service across affected businesses they regulate, whilst implementing the recommended security measures themselves. Ofcom also confirmed that they referred the matter to the data protection and security regulator, the ICO. Reports also stated that Transport for London (“TfL”) too had been affected by the attack as one of their contractors had suffered a data breach (which was not related to any passenger data).

The recent incident involved an exploitation of a vulnerability in MOVEit that was previously unknown which enabled the cybercriminals to secretly access the data without causing damage to the victim’s networks. This type of vulnerability is referred to as a zero-day vulnerability owing to the short amount of time between its identification and exploitation by attackers. The attack is a stark reminder to businesses of all sizes regarding the risks of cybersecurity breaches and the importance of having monitoring and due diligence mechanisms in place to reduce the risk of a breach, together with the appropriate policies and procedures to react promptly should they be faced with a similar situation.

June 2023

Following their talks in Washington USA, Prime Minster Rishi Sunak and President Biden announced their plans to strengthen the UK – US data bridge which would allow for the free flow of data between organisations in both countries. 

This declaration signifies the UK’s aim to set up a data bridge for the UK Extension to the EU-US Data Privacy Framework, subject to the UK’s evaluation of the data bridge and finalising additional technical work. The success of the plan is reliant on the US declaring the UK as a qualifying state under Executive Order 14086.

It will be interesting to see the proposals regarding how personal data will transfer across the Atlantic in a manner that will protect both UK and American data subjects post transfer. The government published a report which explained that the data bridge would “uphold the rights of data subjects, facilitate responsible innovation, and provide individuals in both countries greater access to the services that suit them, whilst reducing the burdens on businesses and delivering better outcomes for people.”

The goal? To facilitate trusted cross-border data flows in support of international collaboration to meet the global challenges and opportunities on data. It has been stated that multilateral initiatives, such as the Global Cross-Border Privacy Rules Forum (which it is understood the UK applied, in April 2023, to join as an associated member), will work collaboratively in reaching this significant milestone.

If you would like to find out more information on how to improve your own data protection mechanisms or regarding international data transfers, please contact Olivia Larkin or Mark Chapman at

Olivia Larkin
Solicitor, Commercial
View profileContact Us

This reflects the law and market position at the date of publication and is written as a general guide. It does not contain definitive legal advice, which should be sought in relation to a specific matter.

Latest Legal Insights

Best Law Firms 2024

Herrington Carmichael has once again been named in the Times Best Law Firms. We were first listed in 2023 and have once again made the Best Law Firms list for 2024.

Best Law Firm 2024