To help you celebrate Data Protection Day 2023 on 28 January, we share the following round-up of some of the hot topics in data protection for 2023.
In July 2022 the UK Government introduced a new Data Protection and Digital Information (DPDI) Bill, which included plans to reform aspects of the GDPR.
This got somewhat derailed during the political storm in October 2022 and the subsequent change in Prime Minister. So, where are we now and where are we headed?
It seems that the DPDI Bill is back on the agenda. The government is intent on reforming UK GDPR and is working on further changes to the DPDI Bill.
This includes a number of business-friendly changes to make compliance less bureaucratic; for example, simplifying record keeping requirements, implementing a list of defined “legitimate interests” (e.g. fraud prevention), introducing exceptions to the consent requirement for cookies for low privacy risk purposes, and allowing firms greater scope to refuse responding to subject access requests which are “vexatious or excessive”.
While the objective of reducing red tape is to be welcomed, we have to tread carefully because if the UK diverges too far from the EU GDPR, this could put at risk the EU’s UK “adequacy decision” – which allows data to flow freely from the EU to the UK. The adequacy decision is due to expire on 27 June 2025 unless it is renewed.
In March 2022 the ICO’s IDTA and the Addendum to the EU GDPR Standard Contractual Clauses (EU SCCs) came into force.
The UK IDTA follows the new EU SCCs (see below) but arguably is clearer and more user-friendly. The IDTA and the new EU SCCs take into account the judgment of the European Court of Justice (ECJ), in the case commonly referred to as “Schrems II”.
For the purposes of UK GDPR, existing agreements made on or before 21 September 2022 can continue to rely on the old EU SCCs until 21 March 2024, provided that the processing operations that are the subject matter of the agreement remain unchanged. After then, such agreements must be replaced with the UK IDTA or Addendum.
For new agreements, the IDTA / Addendum is now being used. However, we are still awaiting the clause by clause guidance on how to complete the IDTA and Addendum which the ICO has promised. Hopefully, this will be published in early 2023.
When you enter into a contract on the basis of the IDTA or the Addendum you must still carry out a data transfer risk assessment (TRA). This is to make sure that the protection provided by the IDTA or Addendum, given the circumstances of the restricted transfer, is adequate.
In November 2022 the ICO issued guidance and a tool to assist with carrying out these TRAs. Further guidance is expected, to include examples of how the TRA Tool can work in practice. In the meantime, we have to continue to work on the basis of the current guidance, such as it is.
The European Commission issued new EU SCCs on 4 June 2021 to cover transfers from the EU under EU GDPR. The long-stop date for replacement of agreements using the old EU SCCs with the new EU SCCs was 27 December 2022 and so has now passed. Therefore, if you have not already done so, you should prioritise doing this as soon as possible. For more information, see here.
Remember, post-Brexit, the EU SCCs are not valid for transfers from the UK but can be used in conjunction with the UK Addendum (see above).
Since the EU-US Privacy Shield was found to be invalid by the Court of Justice of the European Union (CJEU) in the Schrems II case, data transfers to the US have had to rely on the SCCs. But the parties cannot rely on SCCs alone; the data exporter also has to conduct a TRA. This is a world of pain.
But then, on 13 December 2022, a ray of sunshine peeped through when the European Commission announced that it was looking at adopting an adequacy decision for a new EU-US Data Privacy Framework. If adopted (hopefully in Q2 2023), personal data subject to EU GDPR will be able to be transferred to US companies which have self-certified to the Department of Commerce under the new Framework, without the need for SCCs and TRAs.
This will be the third attempt to set up a framework for transfers of personal data to the US. The new framework is made possible as a result of an Executive Order issued by the US Government in October 2022 which implemented safeguards that US intelligence must consider before engaging in surveillance involving EU data, and sets up a redress mechanism for individuals to challenge violations. Will this be enough to satisfy the activist, Max Schrems or will he launch another challenge? We think it likely he will, but we’ll have to wait and see.
Meanwhile, in an attempt to get ahead of the EU, in January 2021 the UK government issued its own adequacy decision in relation to The Republic of Korea (South Korea) and is working on a number of other destinations, including Australia, Brazil, Colombia, the Dubai International Financial Centre, India, Indonesia, Kenya, Singapore and the USA. Will the UK approve its adequacy finding for the USA before the European Commission formally adopts the new EU-US Data Privacy Framework (see above)? We’ll have to wait and see.
In December 2022, the ICO published new guidance and checklists on direct marketing and compliance with the Privacy and Electronic Communications Regulations 2003 (fondly known as “PECR”). PECR governs electronic marketing by email, SMS/text as well as by phone. PECR is also the regulation that requires consent for cookies that are not “strictly necessary”. PECR applies even where “personal data” is not involved.
The ICO is expected to continue its hard line enforcement against those who fail to comply with PECR, in particular in respect of predatory marketing calls, and spam email marketing (see further under Fines below).
The DPDI Bill proposes changes to the rules on direct marketing and cookies, including increasing the level of fines for infringement of PECR to the same level as those under the GDPR.
The draft EU ePrivacy Regulation aims to update the Privacy Directive (on which PECR is based) to bring it into line with GDPR (for example, in respect of the requirements for a valid consent) and establish clearer rules on electronic direct marketing and cookies. It is important to follow its progress as many UK organisations will still need to align with its requirements due to its extraterritorial reach.
In relation to cookies, following the release in January 2023 of the report of the Cookie Banner Taskforce, here are 10 takeaways for cookie compliance:
Perhaps the most important aspect of data protection is data security – as is said, there can be no data privacy without data security.
And in this respect, the biggest online risk today is ransomware. This involves a cyber-criminal encrypting an organisation’s data and then demanding money in return for returning access to the data. This can result from a simple human oversight in carelessly clicking on a link in a phishing email or being tricked into revealing their username and password – underscoring the importance of regular employee training in cybersecurity to raise awareness.
In the event of a ransomware attack there is a GDPR requirement to report the data breach to the ICO if there is a likelihood of risk to the data subjects – which usually there will be. Even if you can recover the data from back-ups, a temporary loss of access to personal data is a “personal data breach” for the purposes of GDPR.
The ICO has warned that if you pay a ransom thinking that you do not then need to notify the ICO, or that you will benefit by way of reduced enforcement, that is not correct.
Paying ransoms to release locked data does not reduce the risk to individuals, is not an obligation under data protection law, and the ICO will not take this into account as a mitigating factor when considering enforcement action.
The proper response to the risk is increased vigilance, good cyber hygiene, including keeping appropriate back-ups, and proper staff training to identify and prevent attacks. The ICO has said that organisations will get more credit from those arrangements than from paying off the criminals.
Adtech continues to be a hot topic for the advertising industry, the ICO and the Competition and Markets Authority (CMA).
In February 2022, the Belgian Data Protection Authority fined IAB Europe €250,000 for GDPR breaches in relation to its Transparency and Consent Framework (TCF) and ordered IAB Europe to undertake corrective measures aimed at bringing the current version of the TCF into compliance with the GDPR.
On 11 January 2023, the Belgian DPA announced that it has approved IAB Europe’s action plan – IAB Europe has six months to implement the proposed measures.
This is good news for the adtech industry but will it hold? IAB Europe had appealed the Belgian DPA’s decision but, before ruling on the case, the Belgian court referred a number of preliminary questions to the CJEU.
The questions concern IAB Europe’s status as a (joint) controller, and whether the “TC String” (a string of numeric characters reflecting users’ preferences) can be considered “personal data”. We await the decision of the CJEU.
We can expect to see continued large fines in the UK and EU. In the past few weeks Ireland’s Data Protection Commission fined Meta €390 million, €210 million against Facebook, and €180 million against Instagram. The French authority, the CNIL, issued a €3 million fine to French mobile application developer Voodoo over alleged non-consensual user tracking.
In the UK, in May 2022, the ICO fined Clearview AI Inc £7.5 million for collecting images of people from the web and social media to create a database that could be used by its customers, including the police, for facial recognition.
In October 2022, the ICO warned that TikTok faces a £27 million fine after an ICO investigation found that the company may have breached UK data protection laws for failing to protect children’s privacy when using the TikTok platform.
In November 2022, the ICO laid out a new strategic approach to enforcement. They say that fines remain an important regulatory tool, and they will use them where they are needed – for the breaches which cause or have the potential to cause the most harm to people, or where a business has profited from its non-compliance.
For example, in October 2022 the ICO fined Easylife, a catalogue retailer, £130,000 for making predatory marketing calls. That’s not unusual – they regularly take action on nuisance calls and spam (for example, in September 2022 the ICO fined Halfords £30,000 for sending 498,179 unsolicited marketing emails to people without their consent).
What’s not so usual is that they also fined Easylife £1.35 million under the UK GDPR for “profiling” their customers before illegally calling them. The company was making assumptions about people’s lives – their health and any medical conditions they had – and then targeting them with products linked to those conditions without consent. The ICO deemed that to be an unacceptable use of people’s sensitive information.
But enforcement action is not limited to fines. While fines grab the attention, the ICO issues many more “reprimands”. Until recently, the ICO only published details of formal enforcement notices and fines. But from now, they will also publish details of reprimands. It’s the ICO equivalent of putting a business on the naughty step.
If you’re involved with AI, it’s important to keep a close eye on the progress of the EU’s Artificial Intelligence (AI) Act. In December 2022, the EU reached unanimous agreement on the draft of the EU AI Act.
Three-way discussions between the EU governments, the Commission and European Parliament will begin following agreement by the European Parliament of its common position.
Meanwhile, in the UK, in July 2022, the DCMS published a policy statement on regulating the use of AI in the UK, with proposed rules on addressing the future risk and opportunities for AI systems.
AI has the potential to be intrusive from a privacy viewpoint. The GDPR deals with automated decision-making, including the use of personal data in AI and machine learning, and provides enhanced rights for individuals. In addition, the ICO’s auditing framework for AI addresses the key data protection risks that may arise in AI.
In November 2022, the ICO released guidance on how organisations can use AI and personal data appropriately and lawfully, in accordance with data laws. The guidance sets out a number of key methods organisations can use to improve their handling of AI and personal data, including:
For more information, see here.
Chat GPT is an AI tool that has been getting a lot of attention. We decided to try it out on a legal task – for the result, see here.
So, the question is how far AI will replace or disrupt the work of lawyers – an interesting question, but perhaps let’s not go there for now!
You can register online or follow us on Twitter or LinkedIn to receive our latest news, events and publications.