Key data protection issues for 2023

27 Jan 2023

To help you celebrate Data Protection Day 2023 on 28 January, we share the following round-up of some of the hot topics in data protection for 2023.

Data Protection reforms
International data transfers
Direct marketing and cookies
Data security
Adtech
Fines
Al

1. Data Protection reforms

In July 2022 the UK Government introduced a new Data Protection and Digital Information (DPDI) Bill, which included plans to reform aspects of the GDPR.

This got somewhat derailed during the political storm in October 2022 and the subsequent change in Prime Minister. So, where are we now and where are we headed?

It seems that the DPDI Bill is back on the agenda. The government is intent on reforming UK GDPR and is working on further changes to the DPDI Bill.

This includes a number of business-friendly changes to make compliance less bureaucratic; for example, simplifying record keeping requirements, implementing a list of defined “legitimate interests” (e.g. fraud prevention), introducing exceptions to the consent requirement for cookies for low privacy risk purposes, and allowing firms greater scope to refuse responding to subject access requests which are “vexatious or excessive”.

While the objective of reducing red tape is to be welcomed, we have to tread carefully because if the UK diverges too far from the EU GDPR, this could put at risk the EU’s UK “adequacy decision” – which allows data to flow freely from the EU to the UK. The adequacy decision is due to expire on 27 June 2025 unless it is renewed.

2. International data transfers

New UK International Data Transfer Agreement (IDTA)

In March 2022 the ICO’s IDTA and the Addendum to the EU GDPR Standard Contractual Clauses (EU SCCs) came into force.

The UK IDTA follows the new EU SCCs (see below) but arguably is clearer and more user-friendly. The IDTA and the new EU SCCs take into account the judgment of the European Court of Justice (ECJ), in the case commonly referred to as “Schrems II”.

For the purposes of UK GDPR, existing agreements made on or before 21 September 2022 can continue to rely on the old EU SCCs until 21 March 2024, provided that the processing operations that are the subject matter of the agreement remain unchanged. After then, such agreements must be replaced with the UK IDTA or Addendum.

For new agreements, the IDTA / Addendum is now being used. However, we are still awaiting the clause by clause guidance on how to complete the IDTA and Addendum which the ICO has promised. Hopefully, this will be published in early 2023.

When you enter into a contract on the basis of the IDTA or the Addendum you must still carry out a data transfer risk assessment (TRA). This is to make sure that the protection provided by the IDTA or Addendum, given the circumstances of the restricted transfer, is adequate.

In November 2022 the ICO issued guidance and a tool to assist with carrying out these TRAs. Further guidance is expected, to include examples of how the TRA Tool can work in practice. In the meantime, we have to continue to work on the basis of the current guidance, such as it is.

EU SCCs

The European Commission issued new EU SCCs on 4 June 2021 to cover transfers from the EU under EU GDPR. The long-stop date for replacement of agreements using the old EU SCCs with the new EU SCCs was 27 December 2022 and so has now passed. Therefore, if you have not already done so, you should prioritise doing this as soon as possible. For more information, see here.

Remember, post-Brexit, the EU SCCs are not valid for transfers from the UK but can be used in conjunction with the UK Addendum (see above).

Transfers to the USA

Since the EU-US Privacy Shield was found to be invalid by the Court of Justice of the European Union (CJEU) in the Schrems II case, data transfers to the US have had to rely on the SCCs. But the parties cannot rely on SCCs alone; the data exporter also has to conduct a TRA. This is a world of pain.

But then, on 13 December 2022, a ray of sunshine peeped through when the European Commission announced that it was looking at adopting an adequacy decision for a new EU-US Data Privacy Framework. If adopted (hopefully in Q2 2023), personal data subject to EU GDPR will be able to be transferred to US companies which have self-certified to the Department of Commerce under the new Framework, without the need for SCCs and TRAs.

This will be the third attempt to set up a framework for transfers of personal data to the US. The new framework is made possible as a result of an Executive Order issued by the US Government in October 2022 which implemented safeguards that US intelligence must consider before engaging in surveillance involving EU data, and sets up a redress mechanism for individuals to challenge violations. Will this be enough to satisfy the activist, Max Schrems or will he launch another challenge? We think it likely he will, but we’ll have to wait and see.

Transfers to other states

Meanwhile, in an attempt to get ahead of the EU, in January 2021 the UK government issued its own adequacy decision in relation to The Republic of Korea (South Korea) and is working on a number of other destinations, including Australia, Brazil, Colombia, the Dubai International Financial Centre, India, Indonesia, Kenya, Singapore and the USA. Will the UK approve its adequacy finding for the USA before the European Commission formally adopts the new EU-US Data Privacy Framework (see above)? We’ll have to wait and see.

3. Direct marketing and cookies

In December 2022, the ICO published new guidance and checklists on direct marketing and compliance with the Privacy and Electronic Communications Regulations 2003 (fondly known as “PECR”). PECR governs electronic marketing by email, SMS/text as well as by phone. PECR is also the regulation that requires consent for cookies that are not “strictly necessary”. PECR applies even where “personal data” is not involved.

The ICO is expected to continue its hard line enforcement against those who fail to comply with PECR, in particular in respect of predatory marketing calls, and spam email marketing (see further under Fines below).

The DPDI Bill proposes changes to the rules on direct marketing and cookies, including increasing the level of fines for infringement of PECR to the same level as those under the GDPR.

The draft EU ePrivacy Regulation aims to update the Privacy Directive (on which PECR is based) to bring it into line with GDPR (for example, in respect of the requirements for a valid consent) and establish clearer rules on electronic direct marketing and cookies. It is important to follow its progress as many UK organisations will still need to align with its requirements due to its extraterritorial reach.

In relation to cookies, following the release in January 2023 of the report of the Cookie Banner Taskforce, here are 10 takeaways for cookie compliance:

By default, no cookies which require consent can be set without a consent and that consent must be expressed by a positive action on the part of the user
On a cookie banner, the absence of refuse/reject/not consent options is not in line with the requirements for a valid consent and is an infringement
Pre-ticked boxes to opt-in is not a valid consent and is an infringement
For the consent to be valid, the user should be able to understand what they consent to and how to do so
Cookie banners must not be designed in a way that gives users the impression that they have to consent in order to access the website, nor that clearly pushes the user to give consent
The configuration in terms of colour and contrast of the buttons should not highlight the “accept all” button over other available options
If valid consent is not obtained where required for the cookies, any subsequent processing of personal data cannot be compliant with the GDPR
The legal basis for the placement or reading of cookies requires consent and cannot be “legitimate interests”
Classifying cookies as “essential” or “strictly necessary” which serve purposes which would not be considered as “strictly necessary” is an infringement, although the assessment of cookies to determine which ones are essential can raise practical difficulties – the ICO has helpful guidance on this
Website owners should put in place easily accessible solutions allowing users to withdraw their consent at any time, such as an icon (small hovering and permanently visible icon) or a link placed on a visible and standardized place

If you’re not sure about your cookies, first conduct a cookie audit to check what cookies you use and how and when they are deployed. We can then review your cookie policy and consent mechanism to ensure that it is compliant.

4. Data security

Perhaps the most important aspect of data protection is data security – as is said, there can be no data privacy without data security.

And in this respect, the biggest online risk today is ransomware. This involves a cyber-criminal encrypting an organisation’s data and then demanding money in return for returning access to the data. This can result from a simple human oversight in carelessly clicking on a link in a phishing email or being tricked into revealing their username and password – underscoring the importance of regular employee training in cybersecurity to raise awareness.

In the event of a ransomware attack there is a GDPR requirement to report the data breach to the ICO if there is a likelihood of risk to the data subjects – which usually there will be. Even if you can recover the data from back-ups, a temporary loss of access to personal data is a “personal data breach” for the purposes of GDPR.

The ICO has warned that if you pay a ransom thinking that you do not then need to notify the ICO, or that you will benefit by way of reduced enforcement, that is not correct.

Paying ransoms to release locked data does not reduce the risk to individuals, is not an obligation under data protection law, and the ICO will not take this into account as a mitigating factor when considering enforcement action.

The proper response to the risk is increased vigilance, good cyber hygiene, including keeping appropriate back-ups, and proper staff training to identify and prevent attacks. The ICO has said that organisations will get more credit from those arrangements than from paying off the criminals.

5. Adtech

Adtech continues to be a hot topic for the advertising industry, the ICO and the Competition and Markets Authority (CMA).

In February 2022, the Belgian Data Protection Authority fined IAB Europe €250,000 for GDPR breaches in relation to its Transparency and Consent Framework (TCF) and ordered IAB Europe to undertake corrective measures aimed at bringing the current version of the TCF into compliance with the GDPR.

On 11 January 2023, the Belgian DPA announced that it has approved IAB Europe’s action plan – IAB Europe has six months to implement the proposed measures.

This is good news for the adtech industry but will it hold? IAB Europe had appealed the Belgian DPA’s decision but, before ruling on the case, the Belgian court referred a number of preliminary questions to the CJEU.

The questions concern IAB Europe’s status as a (joint) controller, and whether the “TC String” (a string of numeric characters reflecting users’ preferences) can be considered “personal data”. We await the decision of the CJEU.

6. Fines

We can expect to see continued large fines in the UK and EU. In the past few weeks Ireland’s Data Protection Commission fined Meta €390 million, €210 million against Facebook, and €180 million against Instagram. The French authority, the CNIL, issued a €3 million fine to French mobile application developer Voodoo over alleged non-consensual user tracking.

In the UK, in May 2022, the ICO fined Clearview AI Inc £7.5 million for collecting images of people from the web and social media to create a database that could be used by its customers, including the police, for facial recognition.

In October 2022, the ICO warned that TikTok faces a £27 million fine after an ICO investigation found that the company may have breached UK data protection laws for failing to protect children’s privacy when using the TikTok platform.

In November 2022, the ICO laid out a new strategic approach to enforcement. They say that fines remain an important regulatory tool, and they will use them where they are needed – for the breaches which cause or have the potential to cause the most harm to people, or where a business has profited from its non-compliance.

For example, in October 2022 the ICO fined Easylife, a catalogue retailer, £130,000 for making predatory marketing calls. That’s not unusual – they regularly take action on nuisance calls and spam (for example, in September 2022 the ICO fined Halfords £30,000 for sending 498,179 unsolicited marketing emails to people without their consent).

What’s not so usual is that they also fined Easylife £1.35 million under the UK GDPR for “profiling” their customers before illegally calling them. The company was making assumptions about people’s lives – their health and any medical conditions they had – and then targeting them with products linked to those conditions without consent. The ICO deemed that to be an unacceptable use of people’s sensitive information.

But enforcement action is not limited to fines. While fines grab the attention, the ICO issues many more “reprimands”. Until recently, the ICO only published details of formal enforcement notices and fines. But from now, they will also publish details of reprimands. It’s the ICO equivalent of putting a business on the naughty step.

7. AI

If you’re involved with AI, it’s important to keep a close eye on the progress of the EU’s Artificial Intelligence (AI) Act. In December 2022, the EU reached unanimous agreement on the draft of the EU AI Act.

Three-way discussions between the EU governments, the Commission and European Parliament will begin following agreement by the European Parliament of its common position.

Meanwhile, in the UK, in July 2022, the DCMS published a policy statement on regulating the use of AI in the UK, with proposed rules on addressing the future risk and opportunities for AI systems.

AI has the potential to be intrusive from a privacy viewpoint. The GDPR deals with automated decision-making, including the use of personal data in AI and machine learning, and provides enhanced rights for individuals. In addition, the ICO’s auditing framework for AI addresses the key data protection risks that may arise in AI.

In November 2022, the ICO released guidance on how organisations can use AI and personal data appropriately and lawfully, in accordance with data laws. The guidance sets out a number of key methods organisations can use to improve their handling of AI and personal data, including:

Take a risk-based approach when developing and deploying AI
Consider how decisions can be explained to the individuals affected
Limit data collection to only what is needed
Address risks of bias and discrimination at an early stage
Dedicate time and resources to preparing data
Ensure AI systems are made and kept secure
Human review of AI outcomes should be meaningful
Work with external suppliers involved to ensure that AI is used appropriately

For more information, see here.

Chat GPT is an AI tool that has been getting a lot of attention. We decided to try it out on a legal task – for the result, see here.

So, the question is how far AI will replace or disrupt the work of lawyers – an interesting question, but perhaps let’s not go there for now!

Authors

Follow us online

Related legal expertise

Data protection & privacy

Cookie	Duration	Description
_ga	1 year 1 month 4 days	Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
CONSENT	2 years	YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
YSC	session	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.
yt-remote-device-id	never	YouTube sets this cookie to store the user's video preferences using embedded YouTube videos.

Cookie	Duration	Description
foxwilliams.vuture.net_VxSessionId	session	No description available.
intEmailHistoryId	1 year	No description available.
VISITOR_PRIVACY_METADATA	6 months	Description is currently not available.

Cookie	Duration	Description
__cf_bm	1 hour	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie records the user consent for the cookies in the "Advertisement" category.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	CookieYes sets this cookie to record the default button state of the corresponding category and the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.