Data Protection Law
Data protection in 2022 will be shaped, in large part, by the outcome of the Department for Digital, Culture, Media and Sport(DCMS) consultation. The consultation, DCMS: Data: A new direction (10 September 2021), seeks to reform the perceived burden of complying with the UK GDPR. It hopes to “create an ambitious, pro-growth and innovation-friendly data protection regime that underpins the trustworthy use of data”. Aside from such sweeping objectives, the ICO is also sure to clarify its approach to international transfers of data in a post-Brexit UK. Organisations will need to review their position once these changes become official. For a background to this issue read our blog: IDTA: One Small Step for Data Protection, One Giant Leap for the UK.
Changes to accountability framework
The DCMS consultation proposes to change the accountability framework in the following ways:
- Require an organisation to develop and implement a risk-based privacy management programme that reflects the volume and sensitivity of the personal information it handles, and the type(s) of data processing it carries out. This would mean a tailored approach to data protection risk assessments for organisations, as opposed to the one size fits all framework currently in place.
- The government proposes to remove existing requirements to designate a data protection officer. The new proposed requirement to designate a suitable individual, or individuals, to be responsible for the privacy management programme and for overseeing the organisation’s data protection compliance “would place different obligations on organisations, potentially driving more effective data protection outcomes”.
- The consultation suggests removing the requirement for organisations to undertake a data protection impact assessment, so that organisations can adopt different approaches to identify and minimise data protection risks “that better reflect their specific circumstances.”
- It has been proposed that the government remove the requirement for prior consultation with the ICO where an organisation has identified a high risk that cannot be mitigated. The reason here being that prior consultation is infrequently used and, counterintuitively, organisations may be incentivised to contact the ICO if they know they can do so without fear of regulatory action.
These are some of the main examples of changes the government proposes to make to accountability framework. Which could affect data protection in 2022. Whether or not these suggestions will become official remains to be seen. Given that divergence from the EU’s rules would put our adequacy decision in jeopardy, it could be that some of these proposals are watered down. In any case they give a sense of the sort of areas the government wishes to reform.
Data protection in 2022 – direct marketing
The ICOs consultation on its draft direct marketing code of practice closed in March 2020. It is not clear when the code will be finalised. Once it force, it will provide the ICO with more enforcement power than the direct marketing guidelines made under the Data Protection Act 1998. It is likely that the publishing of the guidance will coincide with the government’s response to the DCMS consultation. The DCMS consultation also made some suggestions for the rules around direct marketing which could affect data protection in 2022 and included:
- Increasing the fines that can be imposed under PECR to the same level as the UK GDPR. Currently the ICO can levy a fine of £500,000 for non-compliance with PECR. Whereas the UK GDPR allows for a fine of £17.5 million or 4% of global annual turnover. The ICO feels this to be disproportionate given they recently issued an enforcement notice against a company that instigated 193,606,544 attempted automated calls between 1 June and 1 October 2018, but this only allowed for a fine of up to £500,000.
- The government proposes to extend soft opt-in to electronic communications from organisations other than businesses where they have previously formed a relationship with the person, perhaps as a result of membership or subscription.
- It has been proposed that the government permit organisations to use analytics cookies and similar technologies without user’s consent. In effect, these cookies would be treated in the same way as ‘strictly necessary’ cookies under the current legislation for which consent is not required. However, further safeguards would need to be considered to ensure that such processing poses a low impact on users’ privacy.
Data protection in 2022 will almost certainly see changes in cross-border transfers. In 2021 the UK was lucky to see flows of data to and from the EU uninterrupted. Firstly a temporary bridging mechanism was extended and then in June the European Commission granted the UK an adequacy decision. This essentially meant that the UK would not be treated as a ‘third country’ for the purposes of EU data protection law and therefore personal data could be transferred to the UK without any additional safeguards needing to be put in place.
However, the UK still needed to recalibrate its mechanisms for cross-border transfers of data. The EU Standard Contractual Clauses could no longer be used without amendment. These amendments were made and published but then over last summer and into autumn the ICO ran a consultation in which they addressed many of the questions left unanswered by the EUs approach to international data transfers and published a new draft data transfer agreement which sought to simplify the EU SCCs. Read our blogs: IDTA: One Small Step for Data Protection, One Giant Leap for the UK and UK Data Protection Law: The UK Asks Some Uncomfortable Questions. Once these updates are made official, which is probable to take place in 2022, organisations will need to review contracts which enable cross-border transfers of personal data.
Data protection in 2022 – DCMS global data protection plans
The DCMS package of global data protection plans aims to boost growth, increase trade and improve healthcare and public services. The package includes:
- New multi-billion pound global “data adequacy” partnerships, initially with six priority territories: the USA, Australia, the Republic of Korea, Singapore, the Dubai International Finance Centre and Colombia. The government is also looking at potential future data sharing partnerships with other fast-growing economies such as Kenya, India, Brazil and Indonesia.
- A new International Data Transfers Expert Council to support the UK in championing the international flow of personal data.
- The DCMS consultation includes suggested fresh approaches to adequacy regulations; alternative transfer mechanisms subject to appropriate safeguards such as UK SCCs and UK Binding Corporate Rules; certification schemes; and derogations.
Whilst such plans look to be heralding a new dawn for the UKs approach to data on an international level, there are concerns that if the UKs regime deviates too much from the EU, it could trigger an early review of the UK’s adequacy decision – which is to be definitely reviewed again by 27 June 2025.
AI and Machine Learning
The ICO, as part of its Guidance to AI and Data Protection, has elaborated on the concept of fairness in an AI context. In addition to the general fairness requirements, the ICO interprets that fair data processing involves “ensuring an AI system is statistically accurate; avoiding discrimination in the use of AI for decision-making; the possibility of making incorrect inferences about people using AI; and the consequences of false positives versus false negatives”. The DCMS consultation suggested making the following updates to the guidance and application of legislation in this field which could affect data protection in 2022:
- The government proposes to stipulate that processing personal data for the purposes of ensuring bias monitoring, detection and correction in relation to AI systems constitutes a legitimate interest in terms of Article 6(1)(f) for which the balancing test is not required. Therefore organisations would need less justification when processing personal data for the purpose of ensuring AI is behaving ‘fairly’.
- It is proposed that more certainty be introduced around when safeguards apply to AI. Provisions in the UK GDPR for explainability and transparency in relation to algorithms are restricted to those decisions that are based ‘solely on automated processing’. However most automated decisions have human involvement at some point/level. The government is looking to clarify this point. This could mean organisations using AI for parts of their processes that were previously thought to fall outside regulation will need to review their position If any changes are made.
Data protection in 2022 – minimisation and anonymisation
Determining whether personal data is anonymous may be complex; organisations must make a context-specific decision, taking into account various risks and external factors. In the DCMS consultation the government states that it is considering legislation to confirm that the question of whether data is anonymous is relative to the means available to the data controller to re-identify it. This suggested ‘relative’ test (i.e. relative to the means of the data controller), while not totally divergent from the current guidance, could give organisations more confidence to anonymise data and use it more innovatively.
Here to help
Whilst many of the data protection in 2022 possibilities here depend upon the outcome of the DCMS consultation, it is clear that the UK is not shying away from updating its data protection regulatory landscape. Much will depend upon how comfortable the government feels in pushing the boundaries of our adequacy decision with the EU. What organisations can almost certainly expect is changes in the documents and guidance used for international transfers of data.