The temperature in the UK is not the only hot news this week. Data protection law has been having a hot moment of its own. From the launch of the ICO's 3 year strategic plan for consultation, through to Rishi Sunak's promise, that if elected to replace Boris Johnson, to create "the most dynamic data protection regime in the world, and culminating with the surprise (from a timing perspective in any event) laying before Parliament of the Data Protection and Digital Information Bill, there has been a lot for data practitioners to digest. Combined with a plethora of insights we gained from attending the ICO Data Practitioner Conference on Tuesday 19th July, the data protection team at Ashurst have put together our top 5 stories and insights from the last 10 days.
1. The Data Protection and Digital Information Bill has been laid before Parliament
The UK's Data Protection and Digital Information Bill (previously referred to as the Data Reform Bill) (the "Bill") was introduced in Parliament on Monday 18 July and the text of the Bill is available here. The timing is a surprise for many reasons:
- The Parliament's summer recess starts today so debates on the Bill will be delayed until the Autumn when there is a new Prime Minister and Cabinet in place;
- As part of Boris Johnson's handover, he should only be proceeding with "essential business" and should not be moving forward with "new action of a continuing or long-term chapter" – we think many of you would agree that reforms to the UK's data protection laws is most definitely essential and long-term business; and
- Rishi Sunak, a frontrunner to replace Boris Johnson, recently proposed a policy that would do away with the UK GDPR and replace it with "the most dynamic data protection regime in the world", stating that data protection reform was one of his four top priorities. If Rishi is to be our new Prime Minister, the introduction of the Bill at this time may have tied his hands and his radical plans for overhauling data protection legislation that was inherited from the EU in its tracks.
2. The content of the Bill
The Bill does not repeal the UK GDPR, but makes specific amendments to it. This means that the resultant data protection framework of laws will be a combination of the Bill, the Data Protection Act 2018, the UK GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003. It is worth noting that the legislative framework will still be based on the EU GDPR, but this is the first material step towards divergence from Europe in the field of data protection.
So what does this divergence look like? We already had a "trailer" to the content of the Bill through the government's consultation response, and by and large the Bill doesn’t look to contain any major surprises. More detail and analysis from us will follow in due course but key changes are:
- Definition of Personal Data: The Bill proposes to change the definition of personal data to whether a living individual can be identified by 'reasonable means' "at the time of the processing", or "where the controller or processor knows, or ought reasonably to know, that another person will, or is likely to, obtain the information as a result of the processing, and the living individual will be, or is likely to be, identifiable by reasonable means at the time of the processing." This concept is one that case law and guidance have been grappling with for a long time and this new definition is a change in course from ICO guidance which currently applies a "motivated intruder" test i.e. the data is considered personal data if a motivated intruder (for example investigative journalists, estranged partners, stalkers or industrial spies) could identify the individual. This new definition, if it makes it through the legislative scrutiny process, would seek to decrease the threshold for anonymous data.
- Reform of the accountability framework: A more flexible accountability framework is being introduced, including (i) removal of the requirement for a DPO and the introduction of a new requirement to appoint a 'senior responsible individual'; (ii) the replacement of the Data Protection Impact Assessment with risk assessment tools; and (iii) the removal of Record of Processing Activities requirements to be replaced with a requirement to document purposes of processing in the form of a record of processing of personal data. This seems to us to be more of a rebranding exercise than any materially different requirements. The consultation response had indicated that those who comply with the accountability regime of the current GDPR would meet the requirements of the new UK version, however no such comfort is given in the proposed text of the Bill. Indeed there is a potential for conflict between the current GDPR requirements for a DPO and those of its proposed replacement, "the senior responsible individual" who needs to be "part of the organisation's senior management". Currently DPO functions can be performed by external parties and the DPO simply needs to report to senior management.
- PECR and Cookies: The PECR fining regime will be brought into line with the fining regime under the UK GDPR/Data Protection Act 2018 meaning that breaches of marketing requirements can now be subject to the potential 4% of annual turnover of fines that data security breaches can command. Website cookie notice and consent requirements are being toned down.
- Legitimate Interests: In order to process personal data, a lawful basis is required. The most common lawful basis currently used is that processing is in a person's, business' or a third party's legitimate interest. It requires a balancing exercise to be undertaken looking at the legitimate interests of the organisation wishing to rely on it versus the rights of an individual to privacy. Although it is the most flexible lawful basis it is also not clear to many organisations whether they can rely on it. The Bill has, therefore, proposed a list of processing operations that would satisfy this lawful basis. It is unclear to us from the proposed text whether this is intended to restrict the use of this lawful basis to the particular processing operations identified or whether it still remains possible to complete a legitimate interest assessment and balancing exercise for any processing of personal data. If the former, we would imagine much lobbying to introduce further processing operations to this list.
- Data Transfers: The Bill purports to give data exporters the ability to act pragmatically and proportionally when making international transfers of personal data. It proposes a test whereby the Secretary of State (when making "adequacy" determinations) and controllers (when using other transfer mechanisms such as the UK's International Data Transfer Agreement) considers if the standard of the protection provided for data subjects in the data receiver's country is "not materially lower" than the standard of the protection provided for data subjects in the UK. The explanatory notes state that the test would not require a "point-by-point comparison" of the UK versus the importing country's regime but instead should be an outcomes based assessment where one considers the overall standard of protection for a data subject. This chimes with the proposed guidance from the ICO on Transfer Risk Assessments – see point number four below but notably goes against many EU data protection authorities who have ruled that transfers of personal data outside the EU cannot be assessed on a risk based approach. It is this provision that has the most risk to the UK's adequacy decision and the impact assessment issued alongside the Bill does acknowledge that the cost of losing adequacy would outweigh the benefits of introducing this more risk based approach.
3. ICO Strategic Plan
The ICO launched its consultation into its 3 year Strategic Plan on 14 July 2022, dubbed the ICO25 Plan. It is open for consultation until 22 September 2022.
This is rather awkward timing given the recent publication of the Bill which in itself is due to set strategic objectives for the ICO. Unsurprisingly this point was raised during the DPO panel session at the ICO Data Practitioner Conference. The panel was chaired by the Commissioner who stood steadfast in his belief that the Bill does not change the ICO's strategy as it will give the ICO flexibility and discretion. We, however, believe that adaptions to the ICO25 Plan in the coming years will be inevitable.
The ICO25 Plan is formed on four policy objectives: (i) safeguarding and empowering people; (ii) empowering responsible innovation and sustainable economic growth (this objective is likely to work in parallel with the objective of the Bill to reduce burdens on business); (iii) promote openness, transparency and accountability (namely supporting the development of a modern FOIA); and (iv) development of the ICO's culture, capability and capacity.
The ICO25 Plan includes an action plan for the upcoming year and we have set out below the key points that may influence compliance activity in your organisation:
- DSAR Generator - The ICO will develop a DSAR generator to help individuals: (i) identify where their personal data may or is likely to be held; and (ii) request such information from organisations by using a template from the ICO. This move will ultimately facilitate individuals in making DSARs and seems to be the first of many steps by the ICO in encouraging DSARs. Many of you may also have heard the Commissioner, John Edwards, being interviewed on the Today programme on 14 July where he spoke of his desire to empower individuals, particularly the vulnerable and the proposed DSAR tool looks key to enabling this. With this in mind, you may need to be prepared to see an increase in DSARs, so now is the time to ensure that your processes and procedures are fit for purpose and can cope with a peak in demand.
- AI - The ICO will be investigating concerns over the use of algorithms to sift recruitment applications which could be negatively impacting employment opportunities of those from diverse backgrounds. It will, also, look at the use of algorithms within the benefits system. Therefore if you use AI in any of these ways, now is the time to put such activities through a DPIA and really stress test whether such processing activities are appropriate. Additionally, the ICO will be refreshing its guidance for AI developers on ensuring that algorithms treat people and their information fairly.
- Cookies - The ICO will influence changes such as the phasing out of third-party cookies and will work with the government, industry and other regulators to give web users control over how they are tracked online and move away from cookie pop-ups. In light of this, many UK organisations may be pressing pause on their internal cookie projects to see how these changes manifest.
- Templates and Guidance:
- In a bid to reduce the compliance burden on small businesses, the ICO has chosen to share its own internal data protection compliance training resources which is available here. If your internal data protection training needs updating or if your training is missing key areas, you can select the modules from the ICO website and add them to your training suite. For most organisations, data subject rights are often problematic, largely because they are challenging for the business/team handling them to comprehend and apply exemptions correctly. Helpfully, modules 8 - 11 focusses on this topic and, therefore, it may be worth circulating these to your data subject rights handling team.
- The ICO will also be producing a guidance pipeline including an updated direct marketing code, producing a range of off the shelf products or templates to help organisations develop their own accountability or privacy management programmes, creating a database with published recommendations made following complaints investigations or audits including examples of improved practice and best or good practice, creating a database to publish all "one-off" pieces of advice given and of particular interest, producing sector specific guidance. This sector specific guidance is very welcome given the complexities and nuances of sectors such as financial services, tech and SaaS or payment services which means that current guidance has been too high level and not fit for purpose.
- Marketing calls: The ICO will continue to focus on predatory marketing calls that target vulnerable people online and on social media. As ever, marketing is always a hot topic and an area of high enforcement so revisit your marketing practices to ensure that you will not be the target of investigation for nuisance and unwanted marketing.
4. Data Transfers and Risk Assessments
At the ICO Data Practitioner Conference it was announced that at some point this Summer/just after the Summer period, the ICO will be producing: (i) its final guidance on transfer risk assessments (TRA); (ii) its proposed TRA tool to aid organisations in completing TRAs; and (iii) a TRA Record to document your TRA. The ICO will also be publishing, in the Autumn, a clause by clause guidance document on using the UK's International Data Transfer Agreement ("IDTA") and UK Addendum.
This is welcome clarity as UK businesses have been in a state of limbo for a while, as to whether UK guidance will be more pragmatic and allow a more risk based approach to transfers of personal data outside the UK rather than the current European Data Protection Board guidance that applies to transfers of personal data outside the EU, following the Schrems II decision. We are aware of many clients who have paused their data transfer remediation projects for transfers of personal data outside the UK pending the release of the ICO's guidance, however this is an uncomfortable compliance position to be in, given the ruling in Schrems II has been binding in the UK since its publication in July 2020. The use of the IDTA for all new data transfers from the UK becomes a legal requirement from 21 September 2022.
The lunchtime session on Transfer Risk Assessments at the ICO conference, suggested the following likely content for the guidance:
- A reasonable and proportional approach can be taken to TRAs.
- TRAs should focus on the assessment of two types of risk: (i) enforcement of the IDTA; and (ii) third party access. This echos the proposed contents of the Bill ( see above).
- In undertaking a TRA, organisations can focus on assessing the data protection and human rights laws of the third country, rather than an assessment of all laws and practices.
- Either the controller or processor is responsible for ensuring that data transfers are compliant with Article V UK GDPR; not both. Therefore when determining who bears the responsibility of undertaking a TRA and putting in place the relevant transfer mechanism, it will hinge on who has "instigated" the data transfer. For example, a processor engaging a sub-processor, will be responsible, rather than the controller, for completing the TRA.
- A transfer of personal data from a UK processor to a controller in a third country will not constitute a restricted transfer; this means that a TRA and the incorporation of a transfer mechanism such as the UK IDTA will not be necessary.
- Organisations can group multiple transfers for individual countries, as long as the circumstances are the same or substantially similar, to avoid the need for individual and numerous separate TRAs.
The ICO also confirmed they are considering producing a table of suggested supplementary measures. Supplementary measures are additional organisational and security requirements which may be placed on the data importer, to mitigate any risks presented by the TRA. A list of suggested clauses will be very welcome to SMEs and those without access to significant legal resource.
5. AI Policy Paper
Finally, in tandem with the publication of the Bill, on 18 July, the DCMS issued a Policy Statement and call for views and evidence on the governance and regulation of AI Following responses to the consultation, the government will issue a White Paper later in the year. The Policy Statement:
- proposes a "light touch" and flexible framework, supported by various AI standards and assurance tools;
- proposed that regulatory control will be decentralised, with existing regulatory bodies (such as the ICO, FCA, CMA, MHRA and Ofcom) applying the framework as appropriate to their areas of remit and strategic focus; and
- sets out that will be based on a set of core principles to regulate the use of AI against the impact on individuals, groups and businesses which include safety; security; transparency; fairness; and accountability. This is a stark contrast to the more prescriptive and onerous regime proposed for the EU in the Artificial Intelligence Act.
The government is requesting feedback on its proposed approach by 26 September.
If you'd like to discuss any of the above, please get in touch.