Article by Ralitsa Stancheva.
Data privacy is anything but a stale and slow-moving area! Companies pay increasingly close attention to it, and it is thus an indispensable part of any law student’s commercial awareness must-read list. This article offers a summary of some noteworthy developments since the beginning of the year and a glimpse of what lies ahead in the coming months.
On January 4, the Information Commissioner’s Office (ICO) – UK’s independent regulator for data protection and information rights law – announced that John Edwards will be taking on the role of UK Information Commissioner for a five-year term. Unsurprisingly, keeping in mind Frances Haugen’s testimony before the UK Parliament last October, protecting children online is high on the regulator’s agenda. The ICO also announced its intention to work together with the government on the proposed reforms to the Data Protection Act 2018 and on introducing an Online Safety Bill.
Mr Edwards has also indicated that reducing compliance costs, especially for small to medium enterprises, is a priority for him and his team. The Commissioner has suggested that declaring the ICO’s position on areas that might have previously been ambiguous and proving companies with “tools to understand and apply the law” could reduce the need for them to “incur large professional fees”.
On January 25, the Department for Digital, Culture, Media & Sport and the Minister of State Julia Lopez MP announced the launch of an International Data Transfer Expert Council. The Council will be meeting each quarter and comprises representatives of the academia, various organisations, and the digital industry, including the World Economic Forum, the Future of Privacy Forum, Hogan Lovells, Bird & Bird, Dentons, Google, Microsoft, IBM, and Mastercard. Its goal: to advise the government on how to obtain the benefits of free and secure international data flows.
The government plans to grow UK’s data-enabled service exports (currently estimated at £83 billion) and make the provision of digital services faster, cheaper, more secure and reliable, by reducing the barriers to cross-border data transfers and delivering a global data policy. To support this plan, the Council will look at the possibilities for introducing new mechanisms for international data transfers and forming data adequacy partnerships with priority destinations, including the United States, Australia, the Republic of Korea, Singapore, the Dubai International Financial Centre, and Colombia.
Designating a country (or an organisation) as adequate means that its standard for protection of personal data mirrors that of the UK GDPR. Transfers of personal data between the UK and the designated destination can thus happen freely and less costly compared to alternative transfer mechanisms, such as standard and custom data protection clauses, codes of conduct, or certification schemes.
This step falls under the third pillar of the UK’s National Data Strategy focused on ensuring data availability, and its fifth priority area of action (called “mission” in the strategy) – championing the international flow of data and the benefits that data can deliver. The initiative must also be viewed in the grander context of the UK’s National AI strategy and the fact that, according to data of the European Commission, the UK constitutes the largest data market in the EU.
On February 2, the Secretary of State for Digital, Culture, Media and Sport Nadine Dorries MP laid before Parliament the international data transfer agreement (IDTA), together with two associated documents. If the Parliament accepts ICO’s proposal, all three documents will come into force on March 21 replacing the standard contractual clauses currently in use for international transfers of personal data. If approved, the agreement is expected to introduce a much-welcomed level of simplicity and flexibility.
2022 may also see some significant reforms to the UK’s data protection regime being initiated following the Department’s public consultation, which ran until November 21, 2021. The consultation serves to deliver on mission number two under the National Data Strategy – securing a pro-growth and trusted data regime.
Specifically, the government’s proposal includes reducing barriers to data flows and responsible innovation, while in parallel, the ICO has launched a consultation, ending on September 16, for views on its draft guidance on anonymisation, pseudonymisation and privacy-enhancing technologies. The proposal is also focused on reducing the administrative burden on businesses – particularly, small to medium organisations and those that undertake low-risk data processing, on the delivery of better public services and reforming the ICO.
The new regime envisaged would relax the current requirements of the UK GDPR. Yet, commentators have pointed that these changes, if introduced, could create practical difficulties for UK companies operating in the EU. On the one hand, UK companies may enjoy a more relaxed regime at home while having to comply with a stricter one on their EU markets. On the other, the legislation might get amended to an extent that jeopardizes the EU GDPR adequacy decision on personal data transferred from the EU to the UK. In other words, the EU might no longer recognise the UK’s standard for protection of personal data as equally high, and could even revoke its adequacy decision on this basis.
Also on February 2, the ICO extended an invitation to public and private organisations in the health sector to participate in workshops on privacy-enhancing technologies. Through these workshops, ICO aims to explain how such technologies can be leveraged for the compliant sharing of sensitive health data, and understand how it can help deploy them on a greater scale as the current adoption is not high. The insights gathered from the participating organisations will serve for producing official guidance by the regulator.
As always, it remains important for companies to follow these developments to be able to best position themselves in the changing legislative circumstances and grasp new opportunities.