HAPPY INTERNATIONAL DATA PRIVACY DAY: OUR PREDICTIONS FOR 2022

28 January 2022

Happy International Data Privacy Day! And what better day than today, to explore what 2022 is likely to have in store for data and privacy?

One year on from the introduction of the UK GDPR in a post-Brexit Britain. Two years on from the start of a global pandemic which forced a discussion around the tension between public health and data privacy. And over three years on from the GDPR coming into force across Europe, and by extension the world. But the passing of time does not appear to have diminished the worldwide focus on data and privacy issues.

In this post, we set out some predictions for data protection and privacy UK and EU developments in the year to come.

UK Data Protection Reform

2021 was the year that the UK Government hinted that it might think outside of the box in terms of data protection regulation. In September 2021, the UK Department for Digital, Culture, Media and Sport (“DCMS“) published its wide-ranging consultation on data protection reform. The DCMS Consultation is the first step in the Government’s plan to deliver on ‘Mission 2’ of the National Data Strategy, underpinned by a desire to boost innovation and economic growth for UK businesses while strengthening public trust in the use of data. The proposals were expansive, seeking to create an adaptable and dynamic set of data protection rules that underpin the trustworthy use of data. They mark a move away from a rigid set of rules, towards a more outcome focussed regime, in order to reduce burdens on business. The consultation closed in November 2021 and the results are expected in Spring 2022. For further detail about the reform proposals, please see our blog post, available here.

A new regulator for the UK

On 4 January 2022, John Edwards began his new role as UK Information Commissioner today, on a five year term. The new regulator spent the past eight years as New Zealand Privacy Commissioner, and before that worked as a barrister. He succeeded Elizabeth Denham CBE, whose term as UK Information Commissioner ended last year. The new Information Commissioner’s agenda/approach/priorities will become clearer during his first full year in the role. However, it seems likely that one of his top priorities for 2022 will likely be the introduction of the Age Appropriate Design Code to better protect children online, together with the Online Safety Bill.

The fallout from enforcement – privacy notices and cookies

2021 saw some significant enforcement action – including fines of EUR 746 million, EUR 225 million and EUR 150 million. Interestingly, these significant fines haven’t resulted from big data security breaches but rather we have seen a regulatory focus on data protection principles –particularly transparency – and cookies. Whilst in the UK at least, it is possible that current rules around cookie consents may be ‘relaxed’ as a result of the data reform proposals described above, its seems likely that this kind of significant enforcement could result in widespread updates to privacy notices and cookies practices in 2022. For further details regarding the likely impact on privacy notices in particular, please see our summary, available here[1].

Testing the EU cooperation mechanism

Although 2021 has seen significant EU GDPR enforcement action as described above, it has also shone a spotlight on the apparent differences of opinion between Member State regulators when it comes to enforcement. In the 2021 WhatsApp enforcement action, objections raised by the EU regulators to the Irish Commissioner’s proposed enforcement resulted a referral to the EDPB for resolution. In December 2021, concerned MEPs also sent a letter to EU Commissioner Reynders to raise concerns about how the Irish Commissioner enforces the GDPR and applies the GDPR’s cooperation mechanism. The MEPs reportedly asked Commissioner Reynders to initiate infringement proceedings against the Irish Commissioner. What is clear is that there is a significant discrepancy between EU supervisory authorities regarding enforcement and the appropriate approach to the same. Could 2022 be the year that the GDPR’s cooperation mechanism is tested to its limits? Or could we see individual Member State regulators forging their own path?

International data transfers – Volume 1 (EU SCC re-papering)

On 27 September 2021, the new EU standard contractual clauses (“New EU SCCs“) came into force for the transfer of personal data from the EEA to third countries under the EU GDPR. From that date, the New EU SCCs have been used for any new agreements entered into that rely on model EU data transfer clauses to legitimise the transfer of personal data from the EEA to third countries under the EU GDPR. Existing Agreements incorporating the old EU SCCs remain valid and provide appropriate safeguards until 27 December 2022, meaning that for many organisations 2022 is likely to involve the not insignificant task of “re-papering” agreements relying on the old EU SCCs and replacing them with the new EU SCCs. For further details regarding the New EU SCCs, please see our blog posts, available here and here.

International data transfers – Volume 2 (the UK position)

In August 2021, the UK Information Commissioner published a consultation on international data transfers. The regulator published a draft international data transfer agreement to address transfers of personal data outside of the UK; a draft international transfer risk assessment guidance note and tool; and a draft UK addendum for inclusion to the European Commission’s standard contractual clauses. The consultation closed on 7 October 2021 and we expect to see legislative proposals in 2022, which will finally give organisations certainty on the approach that the UK is taking to international data transfers, although it is unlikely to be the end of the data transfer saga depending upon the results of the DCMS data protection reform consultation described above. For further details regarding the ICO’s international data transfer proposals, please see our blog post, available here.

International data transfers – Volume 3 (Safe Harbor 3.0?)

Shortly after the Schrems II judgment, the US Department of Commerce and the European Commission initiated discussions to evaluate the potential for an enhanced EU-US Privacy Shield framework to comply with the ruling. However, discussions do not seem to have obviously progressed much during 2021 and, without root and branch reform of US surveillance law, it remains unclear how any such framework would avoid the fate of its predecessors the Privacy Shield and US Safe Harbor. Could 2022 be the year that governments in multiple jurisdictions manage to find a way through the legal complexities raised by the Schrems II judgment in order to allow the international transfer of data on a practical level?

ePrivacy and cookies

We have covered the proposed ePrivacy Regulation in our previous data protection predictions and yet the question remains as to whether 2022 is going to be the year that this legislation makes it through the process. Even without the proposed new EU Regulation, some EU regulators have made their focus on cookies very clear – the CNIL has recently taken significant enforcement action against both Google and Facebook for breaches of the cookie rules. The recent DCMS data protection reform consultation also focussed in part on cookies and questioned the appropriateness of the current rules relating to cookie consents. As a result, whether via legislative or reform or regulator action, it seems clear that cookies will be a special dish in 2022.

Tech vs data regulation – the race continues

2021 has seen a continued focus from organisations and regulators alike on innovative technologies and, in particular, AI. Uptake of AI by organisations appears to have increased alongside attempts by data protection regulators to keep pace, protect the privacy of individuals, and ensure fairness in an increasingly AI-driven world. An example of this was the UK Information Commissioner’s 2021 consultation in relation to the use of the beta version of its AI and data protection risk mitigation and management toolkit. We expect to see even more focus in 2022 on the use of AI and innovative technologies against the backdrop of data privacy legislation. For further details on the ICO AI consultation, please see our blog post, available here.

Class actions reborn?

In November 2021, the Supreme Court overturned the Court of Appeal’s decision in the high profile Lloyd v Google case, which could have opened the floodgates for class actions for compensation for loss of control of personal data to be brought on behalf of very large numbers of individuals without identifying class members. The case was brought under the DPA 1998, rather than the GDPR which superseded it. Whilst there may be read across to the current UK GDPR regime, Lord Leggatt specifically stated that he was not considering the later legislation and this could potentially leave the door open for future loss of control claims under the current law. After Morrisons and now Lloyd v Google, could 2022 be the year that we see another attempted data class action reach the courts? For further details regarding the Supreme Court judgment in the Lloyd v Google case, please see our blog post available here.

[1] First published by LexisNexis in October 2021

Miriam Everett
Miriam Everett
Partner, Digital TMT, Sourcing and Data, London
+44 20 7466 2378
Duc Tran
Duc Tran
Of Counsel, Digital TMT, Sourcing and Data, London
+44 20 7466 2954
Angela Chow
Angela Chow
Senior Associate, London
+44 20 7466 2853
Chloe Kite
Chloe Kite
Associate, London
+44 20 7466 2540

New Telecommunications Telemedia Data Protection Act (TTDSG) comes into effect on 1 December 2021

30 November 2021

More legal clarity

On 1 December 2021, a new law regulating data protection and privacy in telecommunications and telemedia will come into effect: the German Telecommunications Telemedia Data Protection Act (TTDSG). The TTDSG contains new provisions on digital legacy, privacy protection for terminal equipment and consent management. It intends to create more legal certainty and legal clarity for the protection of privacy in the digital world: For example, it aims to stem the cookie deluge and give website visitors more control over the data they collect. But not only that: it intends to provide more clarity in the regulatory jungle of the EU General Data Protection Regulation (GDPR), the ePrivacy Directive (yet to be implemented in Germany), the German Telemedia Act (TMG) and the German Telecommunications Act (TKG). To this end, the data protection provisions of the TMG and the TKG are repealed and merged in the TTDSG. In the process, adjustments were also implemented that were necessary due to the GDPR and the ePrivacy Directive. Continue reading

A new direction for the UK’s data protection regime? The devil is in the detail

2 November 2021

A new dawn for UK data protection regulation is upon us, ushering a “golden age of growth and innovation” according to the UK Government. As Elizabeth Denham’s term as the UK Information Commissioner draws to a close at the end of this month, this is hot on the heels of the UK National AI Strategy and the DCMS’ Consultation Paper (Data: a new direction) for reform of the UK data protection regime.

The DCMS Consultation is  the first step in the Government’s plan to deliver on ‘Mission 2’ of the National Data Strategy, underpinned by the desire to boost innovation and economic growth for UK businesses while strengthening public trust in the use of data.

At 146 pages long, the DCMS Consultation is both comprehensive and wide-ranging. In this blog post we highlight some of the key proposals in the Consultation, alongside the similarly thorough ICO response to those proposals from last month.

Key takeaways:

  • The UK path: In a post-Brexit world, the DCMS’ proposed reforms have potential to significantly alter the data protection landscape in the UK. They aim to establish a “pro-growth and innovation friendly” data protection regime that is more practical and “business friendly“. The proposals intend to be more proportionate and flexible in nature, focussing on a more risk-based approach and representing a shift away from a “one size fits all” approach to compliance with data regulations. They mark a move away from a rigid set of rules, towards a more outcome focussed regime, in order to reduce burdens on business.
  • Wideranging reform: The proposals are expansive, seeking to create an adaptable and dynamic set of data protection rules that underpin the trustworthy use of data. The consultation concentrates on 5 key areas:
    1. Reducing barriers to responsible innovation, for instance by relaxing/simplifying the rules around organisations’ reliance on the legitimate interests condition to justify the processing of personal data (making it easier to rely upon in the context of conducting research and managing AI systems), clarifying the concept of data anonymisation and removing/limiting some of the restrictions currently placed on conducting automated decision making under Article 22 of the GDPR;
    2. Reducing burdens on businesses and delivering better outcomes for people by amending the current accountability framework with the introduction of risk-based “privacy management programmes” and removing existing requirements in relation to conducting DPIAs, appointing DPOs and maintaining detailed records of processing which align with Article 30 of the GDPR. The proposals also seek to increase the threshold for reportable data breaches to the ICO to breaches where there is a ‘material risk’ to individuals only.
    3. Reworking rules in relation to cookies and direct marketing including aligning the ICO’s fining powers under the PECR regime with those under GDPR;
    4. Boosting trade and reducing barriers to data flows including proposals around the use of alternative transfer mechanisms and adopting a more “risk-based” approach to granting UK adequacy decisions to other jurisdictions;
    5. Delivering better public services by allowing the processing of personal data for public health and emergency situations and providing guidance on the lawful grounds of processing; and
    6. Reforming the ICO to achieve the above goals by implementing new objectives and accountability mechanisms, for example by refocussing its statutory commitments away from handling a high volume of low-level complaints and towards addressing the most serious threats to public trust.

Further detail on the range of proposals is set out below at “The deeper dive: Key DCMS proposals, their impact and the ICO response“.

  • Pro-business in practice? Organisations have already invested considerable time and cost in their own GDPR compliance in recent years. Whilst the proposed reform is stated to “offer improvements within the current framework” and is earnest in theory, it remains to be seen whether the proposed divergence from the existing (EU-based) regime will in fact realise the benefits suggested by the DCMS, and whether it really is more “business friendly” in practice.

The proposals appear to be skewed more heavily towards benefiting smaller organisations in particular, which have historically struggled with the burden of data protection compliance. However, with the added administrative layer for organisations (first having to assess their current EU GDPR compliant practices against any new UK requirements, as well as exercise a greater level of discretion as to how best to comply), there is a risk that the reform may prove to be no less burdensome overall, at least at the outset.

And that is without factoring in the added layer of complexity for organisations operating across both a UK and EU footprint and needing to comply with dual diverging regimes – albeit that these multi-jurisdictional organisations may well continue to apply the potentially higher EU “gold standard” across all jurisdictions for consistency. Data protection compliance is not an exact science at the best of times and the proposed divergence may therefore unintentionally introduce further “grey” areas and a greater degree of uncertainty for organisations.

  • Adequacy: How far is too far? But perhaps the biggest question remains over whether the UK is able to maintain its EU adequacy status in the face of these proposed significant data protection reforms. Adequacy does not require a carbon copy replica of the EU GDPR framework and it may be that an element of divergence is possible if the UK continues to maintain a sufficiently protective data regime.

It is too early to tell at this stage. As the ICO response emphasises, as the proposals develop “the devil will be in the detail” (to ensure the final package of reforms adequately maintain rights for individuals). It will also be important to consider the overall impact of the package as a whole and how the various and plentiful proposals all fit together.

It is one thing removing burdens to organisations to deliver growth, but quite another if that then creates further barriers in the process; at its worst, loss of UK adequacy status, increased costs to organisations of using alternative transfer mechanisms and ultimately interrupting the free flow of data between the EU and the UK. A scenario that both the EU and the UK will ideally want to avoid. See “Adequacy: How far is too far? That is the question” below.

  • The ICO Response – supportive with some reservations: Whilst broadly supportive of the reform, the intent behind it and the proportionate risk-based approach (recognising that high data protection standards cannot remain “static”), the ICO’s response is peppered with numerous reservations; unsurprisingly taking a more data subject focussed stance – often seeking clarity on additional safeguards to be put in place to ensure data subject rights are not jeopardised and more generally welcoming further consideration of the proposals. It also has strong concerns around reform of the ICO’s own leadership structure, which potentially put the independence of the regulator at risk.

With the “pragmatic” current serving New Zealand Privacy Commissioner, John Edwards, taking the UK ICO helm from January of next year (and with a remit that goes beyond the regulator’s traditional role of focussing only on protecting data rights), it will be interesting to see how these reservations will be reconciled in the short term. Not least, given the DCMS is keen to finalise the proposals set out in the Consultation in the coming months.

The ICO also confirmed it is “crucial we continue to see the opportunities of digital innovation and the maintaining of high data protection standards as joint drivers of economic growth. Innovation is enabled, not threatened, by high data protection standards“.

  • Going against the grain? At a time when we are seeing increased data protection regulation at an international level, as well as territories looking to harmonise their data protection regimes, for now the UK seems to sit in contrast with its focus on divergence and deregulation.

Background: The UK balancing act

The issue of international data transfers has long been the main area of concern from a data protection perspective regarding Brexit; particularly whether or not the UK ensures an essentially equivalent level of data protection to that guaranteed under EU legislation. The European Commission’s adequacy decision confirmed the UK as an adequate jurisdiction for GDPR purposes on 28 June 2021. This allowed the free flow of data from the EU and EEA Member States to the UK without the need to put in place additional measures to legitimise the transfer (such as so called “EU Standard Contractual Clauses” or EU SCCs).

One of the key elements of the decision was that the UK’s data protection system continued to be based on the same rules that were applicable when the UK was a Member State of the EU. However, strong safeguards were also incorporated into the decision; these included the unique so-called “sunset clause” limiting the duration of the adequacy decision and the Commission’s close monitoring of how the UK system evolves (the Commission is entitled to suspend, terminate or amend the decision at any time in the case of problematic developments that negatively affect the level of protection found to be adequate). In turn, this has potential to restrict the extent to which the UK is able to diverge from the EU GDPR regime going forwards.

Since leaving the EU, there were suggestions that the UK may pursue a more relaxed, business-minded approach to data. In particular, the DCMS’ National Data Strategy and the Government’s “10 tech priorities” sought to pave the way for harnessing and “unlocking the value” of data across the economy. An approach mirrored and built on in the DCMS Consultation.

However, such an approach will clearly need to be carefully balanced against the UK’s position on data vis-à-vis the EU, particularly to ensure that any divergence from EU legislation is seen as sufficiently protective if the UK is to continue to benefit from the adequacy decision. See “Adequacy: How far is too far? That is the question” below.

Adequacy: How far is too far? That is the question

The “business friendly” intentions behind the Consultation indicate a clear intention to diverge from the EU regime and reform the UK rules on data protection so that “they’re based on common sense, not box-ticking. And…having the leadership in place at the Information Commissioner’s Office to pursue a new era of data-driven growth and innovation.”  (Digital Secretary, Oliver Dowden)

But how far is too far to diverge? When does a “business” and “innovation” friendly approach start to erode the level of protection afforded to data transferred from the EU to the UK and jeopardise the recently determined UK adequacy decision? It is one thing removing barriers to international data transfers in order to deliver growth, but quite another if that then creates further barriers in the process; at its worst potentially leading to the European Commission revoking the UK adequacy decision, increased costs to organisations of using alternative transfer mechanisms and ultimately interrupting the free flow of data between the EU and the UK. A scenario that both the EU and the UK will ideally want to avoid.

In the DCMS Consultation itself, the DCMS suggests it is possible to maintain adequacy – on the basis that adequacy does not mean a “word for word” replication of EU legislation – more a shared commitment to high standards of data protection. It cites examples of other EU adequate jurisdictions where this is the case.

The DCMS also makes it clear that any reformed regime will conform to high data protection standards and must be “underpinned by secure and trustworthy privacy standards”. Given the reservations in the ICO’s response, particularly those around data subject rights, as the proposals develop it remains to be seen whether the proposed reform does in fact sufficiently prioritise maintaining public trust in the UK’s data protection regime and, in turn, prioritise the UK’s adequacy status.

However, the Consultation is also accompanied by an impact assessment which includes the direct financial impact on UK businesses if the UK were to lose its EU adequacy status; this totals £1.4 billion over five years (the period in which compliance and SCCs would feed through to affected organisations). There is clearly a fair amount at stake if the UK Government get it wrong.

The Deeper Dive: Key DCMS proposals, their impact and the ICO responses:

The proposals set out in the Consultation are categorised into five key areas below:

i. Reducing barriers to responsible innovation: the proposal seeks to create an adaptable and dynamic set of rules that are flexible enough to be interpreted quickly and clearly in order to fit the fast-changing world of data-driven technologies – in doing so, supporting the Government’s pro-growth, pro-innovation stance. Proposed initiatives include:

  • Easier and more certain reliance on legitimate interests as a lawful basis for processing personal data, through the creation of a limited, exhaustive list of legitimate interests for which organisations can use personal data without applying the balancing test. Whilst the processing would still need to be proportionate and necessary for the stated purpose, this would create a new set of legal bases which would satisfy the legitimate interests test and would give organisations more confidence to process personal data without unnecessary over-reliance on (the transitory and often more challenging to obtain) consent basis, as is currently the case.

Amongst other categories, the proposed list includes “ensuring bias monitoring, detection and correction in relation to AI systems”, “using audience measurement cookies or similar technologies to improve web pages that are frequently visited by secure users” and “using personal data for internal research and development purposes or business innovation purposes aimed at improving services for customers”. Whilst the Government acknowledges that any list would need to be sufficiently generic to “withstand the test of time”, it envisages updating the list via regulation-making powers, which seem likely to be invoked given the  limited and exhaustive nature of the current (albeit relatively uncontroversial) list.

  • AI and automated decision making: the Government recognises the ability for data-driven AI systems to bring huge benefits, alongside a need to deploy AI tools that innovate responsibly and manage data-related risks at every stage of the AI life cycle. The Consultation considers the interplay of AI technologies with the UK’s current data protection regime.

In particular, and perhaps most controversial, the DCMS invites evidence on proposals to remove or more tightly limit the restrictions on automated decision making (including profiling) under Article 22 of the GDPR (where the decision-making “produces legal effects concerning” an individual or “similarly significantly affects that individual”). The current restrictions include the right to human review, giving individuals the right to challenge and request review of a decision. Whilst the DCMS recognises safeguards are meaningful in some cases (e.g. high risk AI-derived decisions) especially as there is currently no clear approach and standards for wider AI governance, the current operation and efficacy of Article 22 are thought to be uncertain (with limited case law and guidance available in particular). The DCMS is mindful that these provisions need to keep pace with the likely evolution and proliferation of automated decision making and profiling use. This follows a previous recommendation from the Taskforce on Innovation, Growth and Regulation Reform to remove the provision in its totality, instead permitting use on the basis of legitimate interests or public interests (see above).

Another key area of reform in the use of AI, relates to anonymisation, and considering a clear legal test for determining when data will be regarded as “anonymous”; with organisations currently relying on the ICO’s code of practice of anonymisation and the recitals to the UK GDPR. The Consultation sets out a couple of options in this regard, including elevating recital 26 of the UK GDPR (based on the “reasonable likelihood” that the controller is able to identify the data subject, although this is unlikely to add much to the related ICO guidance on this area). The DCMS is also considering legislation to confirm that whether data is anonymous, is relative to the means available to the data controller to re-identify it (as per the approach in the CJEU case of Breyer v Germany when assessing whether dynamic IP addresses constitute personal data).

In an effort to maximise the ease with which organisations can share and process data responsibly, the Consultation supports the development and use of “data intermediaries” as well (e.g. entities that can provide technical infrastructure and expertise to support interoperability between datasets or act as mediators negotiating sharing arrangements between parties looking to share, access or pool data). Whilst this could potentially benefit data sharing particularly for research and development purposes (by introducing a new innovative data sharing framework within the existing data protection regime), there is limited information on this proposal currently in the Consultation itself.

The DCMS has also raised concerns regarding the scope and substance of ‘fairness’ as it applies to the development and deployment of AI under the existing data protection regime, determining that the concept may be best left to sector-specific regulation rather than the ICO. The UK’s forthcoming AI governance framework is likely to provide further clarity on this early next year.

  • Use of personal data for research purposes: among others, the proposal seeks to incorporate a clearer definition of ‘scientific research’ into legislation (principally based on the related recital), consolidate the related provisions, consider the appropriate lawful basis for scientific research and whether the regime should enable data subjects to provide broad consent in circumstances where it is not possible to fully identify the purpose of personal data processing at the time of data collection. The Consultation acknowledges that the data protection regime is currently challenging to navigate and the provisions relating to research are relatively complex and dispersed within the current data protection framework. This is thought to create both real and perceived barriers for organisations, which currently sit at odds with the National Data Strategy looking to encourage reform to support research in the UK.

Key ICO Response

The ICO understands the drivers for greater certainty around use of legitimate interests as a lawful basis. However, rather than removing the need for the balancing test, the ICO envisages a shift in responsibility to carrying out the test from organisations to the Government instead – therefore requiring the Government to feel confident that the processing on any such list does not have a disproportionate impact on data subject rights. The ICO therefore expects the nature, context and detail of the processing to be set out more clearly to provide organisations with the necessary certainty to determine whether their own activities are covered (including how the Government has assured itself that the processing on the list will not have a negative impact without the need for further case to case consideration of the balance). It also called for the Government to provide more detail on how this proposal would interact with the exercise of individuals’ rights (for example, the right to object to the processing of personal data).

The ICO also supports the Government’s proposals relating to research and recognises the need to build trust regarding the fairness of AI and automated decision making. However, it does not agree that removing the right to human review at Article 22 is in the interest of data subjects and feels that this is likely to reduce trust in AI. On the contrary, it suggests extending Article 22 to cover partly (as well as wholly) automated decision making instead. The ICO agrees that providing guidance through engagement with stakeholders (including on what constitutes a “legal or similarly significant effect”) will help clarify what is acknowledged as a complex area, as well as looking more closely at how transparency could be strengthened to ensure human review is meaningful.

ii. Reducing burdens on businesses: the proposal seeks to shift away from a ‘box-ticking’ compliance regime towards one which is more based on a proportionate, flexible and risk-based accountability framework. This would require an organisation to develop and implement a risk-based “privacy management programme” (“PMP“) that reflects the volume and sensitivity of personal information it handles and the type(s) of processing that it carries out. The PMP would include the appropriate policies and processes for the protection of information.

Whilst the proposed changes to the existing framework are relatively significant, in a marked deviation from the EU GDPR requirements, the perceived benefit to small and micro-businesses of “reducing burdens”, may well not be realised in practice. In particular, it is possible that the proposal simply substitutes existing accountability requirements, with similar (but no less onerous) ones, adding a further administrative layer for organisations; first having to assess their current EU GDPR compliant practices against any new UK requirements, as well as exercise a greater level of discretion as to how best to comply (albeit the DCMS has suggested the ICO may provide related guidance in order to assist).

In particular, the proposed amendments to the existing accountability framework include:

  • Removing the requirement to appoint DPOs and instead exercising discretion in designating a suitable individual, or individuals, to be responsible for the PMP and for overseeing the organisation’s data protection compliance. Whilst this is intended to drive “more effective data protection outcomes” (without the need for the individual to be sufficiently independent, as is currently the case), the DCMS acknowledges there is a risk that removing DPOs could significantly weaken internal scrutiny. Some organisations, e.g. those undertaking high risk processing, may therefore still opt to designate a DPO-type equivalent to independently monitor and assess their organisation’s data protection compliance (to help demonstrate its commitment to the accountability principle), but this would need to be in addition to the proposed individual responsible for the PMP.
  • Removing the requirement for organisations to carry out DPIAs, to allow organisations to adopt different approaches to minimising data protection risks that better reflect their specific circumstances. While the removal of DPIAs means there is an increased risk of organisations undertaking processing that is high risk without adequate prior assessment of the impact of the processing, the Government considers that this will be mitigated by having in place an appropriate PMP.
  • Removing the requirement for prior consultation with the ICO in advance of carrying out high risk processing that cannot be mitigated. Removing the immediate threat of enforcement action is envisaged to encourage and incentivise organisations to engage with the ICO for guidance on high risk processing.
  • Removing record keeping requirements under Article 30 by establishing personal data inventories which explain what personal data is held, where it is held, why it has been collected and how sensitive it is. The new requirements under the PMP would allow further flexibility in how best to do this depending on the organisation’s own circumstances.
  • Changing breach reporting requirements due to the administrative burden on the ICO as a result of over-reporting. This would involve a shift in threshold from reporting a breach unless it is unlikely to result in a risk to the rights and freedoms of natural persons, to a requirement to report a breach unless the risk to individuals is not material. The Government suggests the ICO will publish guidance and examples of what constitutes a non-material risk. This proposal also considers including a new voluntary undertaking process, similar to that in Singapore, which would allow organisations that are able to demonstrate a proactive approach to accountability, to provide the ICO with remedial action plans following a breach, and the ICO may authorise the plan without taking any further action.
  • Amending the data subject access request provisions to introduce a cost limit modelled on the Freedom of Information Act. The Consultation also proposes a nominal fee regime as was the case under the DPA 1998, which is stated not to undermine an individual’s right to access their personal data. The proposal largely seeks to address concerns from organisations that they are overburdened when processing subject access requests, particularly wide-ranging, speculative requests (e.g. as a means to circumvent strict disclosure protocols otherwise required under the Civil Procedure Rules).

Key ICO Response

The ICO acknowledges that there are ways in which the legislation can be simplified, particularly to ensure the regulatory and administrative compliance obligations are proportionate to the risk an organisation’s data processing activities represent. Whilst it welcomes the Government’s commitment to retaining the principle of accountability and is open to alternative approaches to ensuring accountability and demonstrate it, the ICO believes further work is required to demonstrate both the additional value that PMPs could deliver and whether the intended benefits could be achieved through more minor changes instead. Particularly in light of the potential disruption and additional burden for business that significant change to the existing approach could bring, given the considerable resource organisations have already put into their current approach. Adequate time and resources would be needed for any such transition to take place effectively.

The ICO further agreed there is a possibility for more flexibility regarding DPIAs, however it noted that any reform to risk assessments must not result in reducing the robustness or quality of the assessment. Accordingly, the ICO has called for additional information on how organisations can adequately assess data protection risk. The ICO also re-highlighted the benefits of appointing a DPO (given the significant expertise, value and assurance the role can bring to data protection compliance) and suggested that this should not be lost with the reforms. The ICO drew parallels to designated roles under other sectors, for example, an ‘approved person’ under the Finance Act or a Money Laundering Reporting Officer under the UK Money Laundering Regulations. The ICO considers that DPIAs and having an appointed DPO will derive greater value and protection for individuals than the Government’s current proposals. It seems likely that organisations will share the same reservations about the reality of these amendments to the accountability framework.

Regarding changes to data subject access requests, the ICO reiterated the importance of these requests, and that this is only set to increase with the increased collection, use and re-use of data supported under the reforms. Concerned as to whether the proposed changes would in fact inhibit the exercise of this right, the ICO requested further evidence to accurately assess the benefits and risks associated with the proposals – not least to avoid disproportionate outcomes for data subjects, including the most vulnerable. One of the ICO’s alternative suggestions to address the burden of subject access requests (through, for example, use of new technologies when procuring and configuring new IT systems, as well as streamlining internal data management processes), may well not be sufficient on its own in practice.

iii. Reworking rules in relation to cookies and direct marketing: Whilst the focus of the Consultation remains firmly on reform of the UK GDPR, some elements of the proposals touch on the Privacy and Electronic Communications Regulations (“PECR”). On the face of it, these appear relatively minor and are likely to be welcomed by organisations and data subjects alike, particularly with the momentum currently behind initiatives to reduce the current “cookie fatigue”. These proposals include:

  • Changes to cookies rules as the Government considers how best to balance issues relating to organisations’ ability to collect data to improve websites versus user complaints about the number of pop ups and impact on user journey. Two options are suggested.
    • The first would allow organisations to use analytics cookies and similar technologies without user’s consent (i.e. treated in the same way was “strictly necessary” cookies under the current legislation, which is the approach currently adopted in France).
    • The second, would permit organisations to store information on, or collect information from, a user’s device without their consent for other limited purposes (i.e. a possible list of exemptions).
  • Extending the existing soft opt-in relating to direct marketing (i.e. beyond just organisations where they have previously formed a relationship with an individual during a sale or transaction) to non-commercial organisations (such as charities or political parties) and perhaps as a result of a membership or subscription.
  • Increased enforcement under PECR (i.e. bringing fines in line with UK GDPR); allowing the ICO to issue fines of up to £17.5 million or 4% of global turnover (compared to the current £500,000 levy). This would align with the sanctions regime envisaged under the proposed EU ePrivacy Regulation which is still making its way through the European legislative process and, depending on the relative timing, the proposals have the potential to subject UK based organisations to these more stringent sanctions earlier than their European counterparts.

Key ICO Response

As made clear by Elizabeth Denham at the G7 summit earlier in the year, the ICO agrees that the current approach to cookie pop-ups is not practical for data subjects or organisations and welcomes change to the cookie rules. Whilst the ICO is broadly supportive of the two options proposed by the Government, it requests further clarity on how a possible list of exemptions (without requiring user content) would work in the context of the wider reforms in the Consultation – particularly in light of the list of legitimate interests for which organisations can use personal data without applying the balancing test (see above), which could have the overall impact of removing appropriate safeguards.

Regarding a proposal to use browser and non-browser based solutions, the ICO acknowledges that this will also require adequate enforcement measures are put in place to ensure that users’ preferences are sufficiently respected. The ICO saw benefit in extending the existing soft opt-in to non-commercial organisations, provided existing safeguards continued to apply. The ICO also urged the Government to further consider legislating against the use of “cookie walls” (which require users to consent to cookie settings in order to access an online service’s content), given these arrangements can have the effect of removing meaningful choice by data subjects and therefore give rise to a risk of unfairness to those subjects.

Unsurprisingly, the ICO supports the Government proposal to raise fines under PECR and would like to engage with the Government on the potential benefits and costs of bringing the whole of the PECR enforcement toolkit in line with that of the DPA 2018 as well. Again, if pursued and depending on timing, this has potential to give rise to disparity with UK based organisations subject to more stringent enforcement than their European counterparts.

iv. Boosting trade and reducing barriers to data flows: The Government’s ambition is for the UK to be a leader in digital trade and hopes to support international data flows as part of its plan to do so. Given the flurry of developments in the international data transfer arena in the last 12 months, this area remains one to watch at both the UK and EU levels; particularly the fallout from the Schrems II judgement, the EDPB guidance on supplementary measures, the new EU SCCs and the draft UK equivalents. The DCMS Consultation proposals add a further level of complexity (and divergence from the EU regime) in this area, and follow the DCMS’s UK Global Data Plans which included an ambitious programme of priority data adequacy assessments and partnerships (with countries including the US), as well as a UK approach to adequacy assessments – please refer to our related blog for further information.

In particular, the proposals in the Consultation suggest a “risk-based” approach to UK adequacy decisions, focussing more on outcomes, rather than slavishly comparing respective legislation and suggesting a greater focus on proportionality. The proposals suggest that adequacy regulations could be made even in respect of “groups of countries, regions and multi-lateral frameworks” (for example where they share harmonised data protection standards). The proposals aim to relax the requirement to review adequacy regulations every four years, instead placing an emphasis on ongoing monitoring of countries’ relevant laws and practices given that adequacy is increasingly seen as a “living mechanism”.

The Government is also considering legislative amendments to ensure the suite of alternative transfer mechanisms available to UK organisations in the UK GDPR (set out in Article 46 and that permit international transfers of personal data to countries that are not subject to an adequacy decision) are clear, flexible and provide necessary protections for personal data. In particular, this is with a view to developing:

  • proportionality (providing more detailed, practical support for organisations determining and addressing the risks facing data subjects in practice, particularly for smaller organisations). Other proposals also include introducing a “reverse transfer exemption” from the scope of the UK international transfer regime, to alleviate friction for UK businesses where an outbound data transfer is already subject to sufficient protection as part of the inbound transfer to the UK;
  • flexibility and future-proofing (to more adequately reflect the rapidly changing international transfers landscape, as opposed to the current exhaustive list of alternative transfer mechanisms). This will complement the work already underway by the ICO to support organisations to take better advantage of existing options for tailored transfer mechanisms, such as Binding Corporate Rules, Codes of Conduct and Certification Regimes. Other proposals include empowering organisations to create or identify their own alternative transfer mechanisms, as well as those listed in Article 46; likely to benefit organisations with complex data transfer requirements in particular, for example, designing and using bespoke contracts to permit safe international transfers, which would supersede the existing option to develop bespoke data protection clauses requiring approval from the ICO. This is similar to the approach adopted in New Zealand’s data protection regime. The Consultation also considers permitting repetitive use of derogations under Article 49, which could provide flexibility and assurance for organisations that need to rely on them in certain limited but necessary circumstances. Derogations are currently only used as a last resort to legitimise international transfers and, even then, only permitted in very limited circumstances and under specific conditions where adequacy and alternative transfer mechanisms are unavailable; and
  • interoperability (to ensure the UK regime is compatible with any potential new international transfer regimes regardless of the mechanisms they use to transfer data). Whilst a valid and important factor for organisations, it is currently unclear how, and the extent to which, this will be achievable in practice given the intention to diverge from the EU regime in particular and the related complexities in doing so. The proposals also include modifications to the certification schemes framework to provide for a more globally interoperable market-driven system that better supports the use of certifications as an alternative transfer mechanism.

Key ICO Response

The ICO appreciates the need for “real-time flows of data in the digital economy”, whilst also maintaining high standards of data protection in the UK. It supports the proposed risk-based, practical approach to balance these requirements and welcomes the idea of alternative approaches to ensure this is the case. However, the ICO also requests further clarity in a number of areas around the detail of how this risk-based approach and the proposed alternative approaches would work in practice – to fully understand the implications of reform in this area and what proportionate safeguards were intended, emphasising the importance to UK business of retaining its own EU adequacy status.

In particular, on permitting repetitive derogations, the ICO highlights a fine balance is needed. Where a transfer is repetitive and predictable, use of an alternative international transfer mechanism under Article 46 (wholly or partly) may be more appropriate. However, the ICO accepts, where this is not possible, reliance on a derogation may still be “necessary and proportionate”, provided adequate measures were put in place, such as requiring the data exporter to document the approach taken and safeguards. In light of the increased flexibility and range of transfer tools suggested as a whole under the reform, the ICO also highlighted the importance of considering the proposals as a whole package; not least given the reforms as a whole may reduce the need for flexibility around permitting repetitive derogations.

On the proposed reverse transfer exemption, whilst the ICO supports changes to reduce burdens in a proportionate manner, it suggests any issues faced by UK organisations when making these transfers may in fact be reduced following the outcome of the ICO’s consultation on international transfers and any revised guidance in light of its own interpretation of restricted transfers and extra-territorial effect of the UK GDPR. It therefore encouraged the Government to investigate how effective this exemption may be in reducing complexity in practice.

The ICO touched on its own “proactive action” in this area as well, focussing on the equally “risk-based practical approach” suggested in its proposed International Data Transfer Agreement and Transfer Assessment, which also sought “interoperability” to some extent with the new EU SCCs – please refer to our related blog here.

v. Delivering better public services: the Government wishes to use personal data for the purpose of improving the delivery of public services while also maintaining a high level of public trust. Proposals in this regard support easier data sharing – both between different public authorities, as well as between public bodies and private companies processing on their behalf. In particular, the Consultation clarifies that private companies, organisations and individuals who have been asked to carry out an activity on behalf of a public body may rely on that body’s lawful ground of processing the data and do not have to identify a separate lawful ground to legitimise the processing of personal data. This is intended to support further collaboration between the public and private sector, particularly in light of the benefits achieved during the COVID-19 pandemic.

Key ICO Response

The ICO agrees that data sharing can help public bodies and other organisations to deliver modern, efficient services that make individuals’ lives easier. It also acknowledges that certain safeguards are in place to ensure that public authorities and officials are accountable for determining that all relevant aspects of the public task lawful ground are satisfied and that public interest is protected. However, the ICO called for further clarity on the extent to which these would apply to private bodies in these circumstances to ensure that data subject rights are sufficiently protected.

vi. Reform of the Information Commissioner’s Office: the Government intends to improve the legislative framework that underpins the powers, role and status of the ICO, setting new and improved objectives and accountability mechanisms. This includes refocussing statutory commitments away from handling a high volume of low-level complaints and towards addressing the most serious threats to public threats. The new statutory framework is intended to set out the strategic objectives and duties that the ICO must fulfil when exercising its functions, including placing new duties on the ICO to have regard to economic growth, innovation and competition when discharging its functions. Amongst other suggestions, the Government also proposes a new governance model for the ICO, aligning with the structure adopted by other regulators such as Ofcom and the FCA (i.e. with a CEO and independent board). The Secretary of State would appoint the CEO and approve (or reject) ICO guidance.

Key ICO Response

Whilst the ICO supports some of the proposed changes (including strengthening the ICO’s supervision and enforcement powers and elements of the new duties when exercising its function), it also raised strong concerns with other elements – particularly reform of its leadership structure (and the proposed approval powers granted to the Secretary of State), potentially putting the independence of the ICO (from the Government) at risk. The ICO believes that in order to maintain and build public trust, the regulator must have the ability to regulate independently. This seems a valid concern and, given the need for the Government to work closely with the ICO to further develop the proposals under the reform, one which the Government will need to reconsider closely as part of its response to the Consultation.

Next steps: Spotlight on stakeholder responses

The proposals set out in the Consultation have the ability to significantly change the data protection landscape in the UK and, in turn, the compliance requirements for businesses operating in the UK – a particular headache for those needing to comply with the dual EU and UK regimes. However, the true impact of this “new dawn” on the full spectrum of businesses operating in the UK (particularly whether the intended benefits of the proposals are realistic in practice), will only be known further down the reformation process, once the detail of any legislative changes is published.

Either way, the UK Government is clearly making waves in forging its own data protection path ahead in the wake of Brexit, in some cases currently at odds with the ICO, its own data protection supervisory authority. It will be interesting to see how those pinch points, in particular, will develop and whether they can be reconciled with the significantly more data subject focussed views of the ICO. We therefore expect (and encourage) a wide range of stakeholder responses to the Consultation by the 19 November 2021 deadline. Watch this space.

Miriam Everett
Miriam Everett
Partner, Digital TMT, Sourcing and Data, London
+44 20 7466 2378
Duc Tran
Duc Tran
Of Counsel, Digital TMT, Sourcing and Data, London
+44 20 7466 2954
Claire Wiseman
Claire Wiseman
Professional Support Lawyer, Digital TMT, Sourcing and Data, London
+44 20 7466 2384
Kabir Hosein
Kabir Hosein
Trainee Solicitor, London
+44 20 7466 3769

COVID-19 PEOPLE: DATA PRIVACY ISSUES

31 March 2020

In these unprecedented times, COVID-19 has forced organisations to quickly put in to place measures with the aim of ensuring both business continuity and the protection of employees. In many instances, this has involved increased processing of health data, in ways that were not envisaged a short time ago. Organisations across the globe are also asking employees to work from home. Given the timeframes involved and speed at which government advice and directions have evolved, data protection regulators are recognising the challenges involved (please see the related article here), yet a global pandemic is not a general waiver for privacy compliance.

Here we explore some of the data privacy issues that organisations should be considering as they adapt to the COVID-19 crisis. For more information about general people issues, please see COVID-19: People – key issues for UK employers.

COVID-19 related data processing: key compliance issues

  • Lawful basis for processing for COVID-19 related activities

For all COVID-19 related activities involving the processing of health data of, whether it be as a result of: (a) employees voluntarily informing employers that they have tested positive for, or are suspected to have, COVID-19; (b) employers proactively asking employees about their health; or (c) other preventative measures introduced by employers (e.g. body temperature scanning for access on to premises), a lawful basis for processing is required under both Article 6 and Article 9 of the GDPR.

Article 6: The Article 6 ground which many organisations are likely to seek to rely on will be the “legitimate interests” of the organisation or third parties (e.g. other employees), provided that a risk assessment is carried out to check that any risks to individuals’ interests are proportionate. This should be documented in a legitimate interests assessment. It is, however, recognised that organisations are being required to respond rapidly to evolving guidance and it may not always be feasible to carry out such an assessment. Alternatively, an organisation may seek to rely on other lawful bases, such as:

    • the processing is “necessary to perform the employment contract”, if ensuring health and safety is a term of that agreement; or
    • the processing is “necessary to comply with legal obligations”, in relation to health and safety.

Article 9: As health data is considered ‘special category data’ under the GDPR, a lawful basis will also be required under Article 9 of the GDPR. It is likely that much of the processing will be necessary to carry out obligations in relation to employment law, insofar as it is authorised by Union or Member State law (Article 9(2)(b)). Other relevant grounds may also be “public health” and “preventative and occupational medicine”, again in each case insofar as authorised by Union or Member State law (Articles 9(2)(h) and (i)). As you will note, this aspect of the GDPR is devolved to Member States, meaning that local privacy and employment laws will need to be reviewed to assess what specific measures may be permitted locally when processing health data.

In respect of the UK, the UK Data Protection Act 2018 provides for these conditions at Schedule 1, Part 1, but imposes additional safeguards. For example, if relying on the basis that processing is necessary to carry out obligations in relation to employment law, the organisation must have an “appropriate policy document” in place, which should:

    • explain the organisation’s procedures for securing compliance with the principles set out in Article 5 of the GDPR; and
    • explain the organisation’s policies as regards retention and erasure of personal data, giving an indication of how long such personal data is likely to be retained.
  • Disclosing COVID-19 employee-related information

Where an employee has tested positive for COVID-19, an employer may wish to carry out ‘contact tracing’ amongst other employees, or alert other employees. However, unless it has the explicit and freely given consent of the employee who has tested positive, it should not be divulging the name of that employee to anyone else, although employers can still communicate that employees may have been exposed. The Information Commissioner’s Office (ICO) has indicated that employers that inadvertently share too much information in a bid to protect employees’ health will not be penalised, although the more cautious approach would not be to test this and to avoid disclosing the names of affected employees.

  • Proportionality and other considerations

The personal data that is processed should be limited to only what is necessary for the purpose of the response measure the organisation is implementing and making decisions as to action required. All other relevant GDPR principles and obligations will also need to be kept in mind and complied with – for example, data minimisation, the updating of Article 30 records, and appropriate retention periods.

COVID-19: Remote Working issues

It is not just the increased processing of health data that has raised data privacy issues. Many organisations are now asking their employees to work from home, some for the first time.

  • Security risks

Organisations are still under an obligation pursuant to Article 32 of the GDPR to ensure that the personal data processed are subject to appropriate technical and security measures. This applies in a work from home scenario as much as in the office environment.

    • Use of personal devices: Where employees have been asked to use their personal devices as part of remote working, this typically raises more issues as these will often lack the tools built in to business devices – such as strong antivirus software, customised firewalls, and automatic online backup tools. This increases the risk of malware finding its way onto devices and both personal and work-related information being compromised. Even for company-issued devices, organisations will want to consider how to manage updates where machines are not connecting to the company LAN.
    • Use of third party technologies: As organisations are embracing the use of third party technologies to adapt to this new ‘normal’, we have seen the advent of apps to replace processes and functionality that are no longer readily accessible or available to employees in a home environment – for example, videoconferencing apps, team communication apps, scanning apps etc. Questions are already being raised over the security of these apps, and the due diligence that organisations should take before permitting, or encouraging employee use, of these technologies. It may be that organisations only permit use of these technologies in limited circumstances. However, once again, given the speed of developments at the macro/governmental level, organisations are having to respond extremely quickly to a new set of security challenges.
    • BAU risks are magnified: During this time, all the more ‘traditional’ risks are likely to be magnified. Employees are working at home, possibly having shifted larger than normal amounts of confidential documents from the office to home, may also be surrounded by others – whether it be flatmates, family or partners – and so this can pose a security threat. Devices should be locked when unattended, privacy screens used where possible, and phone calls or online meetings carried out somewhere they cannot be overhead, particularly if what is being discussed is business critical or sensitive information. It may also be tempting for employees to forward emails and documents containing personal data to a personal email address if working from home and having issues with company-provided devices or the remote network. However, strictly speaking, this could often amount to a personal data breach under the GDPR as an unauthorised disclosure of personal data (albeit likely not a notifiable one, depending upon the consequences of the employee doing so). As a result, communications with employees regarding use of technologies and devices etc is more vital than ever to ensure that individuals are not inadvertently opening up the organisation to additional risk.
  • Introduction of new technologies

As we look set to be working at home for the foreseeable future, organisations may seek to introduce new technology for a host of reasons, e.g. to facilitate home-working, to monitor employees etc, which would likely involve the processing of personal data. However, as is always the case when introducing new technology that involves the processing of personal data, organisations should consider whether a data protection impact assessment is required. In the context of employee monitoring in particular, this could present issues around impact on the individual where it involves monitoring an employee at home, on a personal device, or possibly even a shared device.

COVID-19: Direct Marketing

Nothing has changed with respect to direct marketing rules and what organisations may or may not do, but just a reminder that businesses should be careful not to include marketing information in COVID-19-related communications that it is entitled to send to individuals, e.g. service communications. This could amount to a breach of the ePrivacy rules to the extent any of those individuals have opted-out of receiving direct marketing. Although the ICO has made it clear that public health messages sent by the government, NHS and healthcare professionals will not be considered to be ‘direct marketing’ for ePrivacy purposes, this should not be interpreted as meaning that all messages relating to the COVID-19 pandemic will fall outside of the ePrivacy rules.

Key points for organisations

We recommend you take the following key steps when considering data privacy risks associated with COVID-19 processing activities and remote working:

  • Ensure that measures implemented are consistent with current public health advice, to help inform what is proportionate.
  • Carry out legitimate interests assessment or data protection impact assessments if required.
  • Review employee use of unauthorised third party applications.
  • Ensure that adequate IT security is in place to take into account remote working on a large scale and for a prolonged period.
  • Update company policies on remote working if needed.
  • Remind employees to be alert to security issues and of best practices and expectations to ensure secure working from home.
  • Consider ad-hoc training for those roles that typically do not work from home.

 

Miriam Everett
Miriam Everett
Partner, Head of Data Protection and Privacy, London
+44 20 7466 2378
Chloe Kite
Chloe Kite
Associate, London
+44 20 7466 2540

Data Protection Predictions 2019

7 January 2019

2018 was a landmark year for data protection and privacy; the EU General Data Protection Regulation (“GDPR“) came into effect on 25 May 2018 and implemented a comprehensive reform of the EU data protection regime. So what could 2019 possibly have in store for data protection and privacy? This article sets out some predictions for further data protection developments in the year to come. Continue reading