The UK and global data protection landscape – seeing the bigger picture and navigating the maze
15 June 2022
The data protection landscape in the UK, and globally, continues to evolve. The pace and number of initiatives has continued into 2022. This requires a step back – to look for key trends and the most relevant strategic issues.
The drivers are multi-disciplinary – regulators and courts are deciding significant cases on the interpretation of GDPR, governments are proposing new policy initiatives related to the economic opportunities and societal risks from digital business models, and new technologies are rapidly maturing.
Whilst AI has been a growing reality for many years, new technologies such as quantum computing are set to drive further acceleration, and with it new opportunities and risks. For example, quantum will offer new opportunities for accelerated discoveries in medical research and new drug developments, but allied to that offers new challenges to exiting privacy enhancing technologies such as encryption.
Many of you will know me with a different hat – for 15 years I worked for the Information Commissioner’s Office (ICO), regulating data protection and freedom of information. For the last six years I was Deputy Commissioner, leading the ICO’s policy function and regulatory strategy. I left the ICO in April of this year to take up a new portfolio career, and I’m delighted to join Allen and Overy as a Special Advisor.
In this introductory blog I will set out the some of the key data protection developments on the horizon for organisations, in the UK and globally.
UK Data Reform
In the UK, nearly six years after Brexit, we are now close to seeing the shape of the data protection reforms. The coming years will see a further evolution of GDPR into a form that many hope will better reflect UK regulatory principles and approach. On the 10 May the Queen’s speech to Parliament set out the government’s intention to introduce the Data Reform Bill. We did not see the Bill alongside the speech but it should emerge soon. The background notes for the Speech offer some general insight on likely content and three purposes for the Bill:
- Take advantage of the benefits of Brexit to create a world class data rights regime that will allow us to create a new pro-growth and trusted UK data protection framework that reduces burdens on businesses, boosts the economy, helps scientists to innovate and improves the lives of people in the UK
- Modernise the Information Commissioner’s Office, making sure it has the capabilities and powers to take stronger action against organisations who breach data rules while requiring it to be more accountable to Parliament and the public
- Increase industry participation in Smart Data Schemes, which will give citizens and small businesses more control of their data. The Bill will also help those who need health care treatments, by helping improve appropriate access to data in health and social care contexts
- Do the proposed reforms do enough to enable innovation and move the UK to a more flexible and proportionate regime, removing some of the prescription from UK GDPR?
- How will the proposals effect the EU’s adequacy decision? Noting that the adequacy test of ‘essential equivalence’ does not mean a carbon copy of EU GDPR is necessary. How far can the UK diverge?
- Will the proposed reforms impact on the key rights and principles in UK GDPR? Can they safeguard against the harms and risks from new technologies, particularly related to AI and automated decision making? What impact will this have on trust and confidence in the UK’s DP regime?
In the meantime, it is worth noting the comments from the Information Commissioner, John Edwards, in a recent speech to an EU audience in Brussels:
"Decision makers in the UK are well aware of the value of retaining the European Commission’s adequacy determination, and the costs of losing it. I am confident that what will emerge from the reform process will reassure Europeans that Europeans data in the UK will continue to enjoy the same high standard of protection that it does within the EU.
I urge you to look beyond any political rhetoric, and stress test the proposal against a criteria of risk to EU interests, and I am sure when you do so you will find it holds up."
In terms of practical day-to-day implications for organisations, the most watched areas are likely to be:
- Proposed changes to the accountability provisions - removing data protection impact assessment and data protection officer requirements, and the new proposal for privacy management programmes and risk assessments UK focused businesses may welcome these changes but global businesses will also want to understand how to best integrate these accountability requirements into their wider governance approach, including under EU GDPR
- Options to reform the subject access regime – the consultation mooted possible fees and or a cost limit for SARs
- Reforms to the regime for international transfers– the consultation set out reforms for a more proportionate and risk based adequacy assessment process. The DCMS consultation lacked detail but also sought views on how to effectively provide proportionality when assessing risks for alternative transfer mechanisms, such as standard contractual clauses
In terms of risks to EU adequacy, the reforms to the ICO will also be closely watched.
I will post another blog once the shape of the Bill is clear. The reforms aim to save £10 billion over 10 years, but will initially require further guidance and advice from the ICO and Data Protection Officers on how to implement effectively.
Interplay with other regulatory developments
It is also worth noting the Government’s proposed reforms to Human Rights law as well. The Queen’s Speech set out an intention to introduce a new Bill of Rights and reform the Human Rights Act. This includes proposals related to the balance between freedom of expression and privacy, seeking a greater emphasis on the former. This may also play into the adequacy question.
It is important to recognise the DP plans as part of comprehensive UK reforms to digital regulation. They parallel many of the digital reforms in the EU, such as the Digital Services Act and Digital Markets Act. Businesses with data driven business models will also need to consider how their governance and risk management for data protection interacts with these other digital policy reforms:
- The Online Safety Bill and its intersection with data protection, privacy and regulation of algorithms
- Digital Identity – a new trust framework and statutory regime will be recognised in the Bill
- Proposed legislation on the regulation of digital markets
- Current consultation on app store security and privacy
- The June 2022 UK Digital Strategy draws together many of these strands under the banner of “a light-touch and pro-innovation regulatory regime”
International data transfers
We can also be sure that international transfers will remain affixed close to the top of the agenda for data protection in 2022. Surveys of organisations and data protection professionals continue to place this issue high in their DP risk profiles. You can find a number of blogs by the team here at Allen and Overy on the topic.
The impact of the CJEU Schrems II decision continues to develop and this case law continues to apply as retained precedent in the UK (though noting the possible reforms discussed above). When using transfer tools such as Standard Contractual Clauses (SCCs) the challenge for business is the uncertainty of compliance, even after a thorough case by case assessment of the target third country. EU Data Protection Authorities have taken a clear stance that rejects a risk based approach for transfers to third countries. For example, where the risk to individuals can be documented as low due to a number of a factors, such as the nature of the data. The Austrian Authority has provided the clearest decisions on this issue so far, in two cases involving controllers who used Google Analytics and the transfer of data to Google in the US. In France, the CNIL have also made clear that a risk based approach is not possible and have enforced against controllers who have used the service.
In the UK, the ICO has always been clear that it will continue to apply its Regulatory Action Policy to any Schrems II related compliance issues and take a risk based approach to enforcement. The ICO’s new International Data Transfer Agreement (IDTA) is also now in place, offering an alternative to EU SCCs for UK controllers. The ICO’s IDTA offers a different approach to the EU SCC– it is a single agreement –‘one size fits all’, compared to the EU’s modular format. Businesses may find this more flexible and it covers more scenarios than the EU, including transfers to processors who are not sub-processors. The ICO has also provided the option for UK controllers to continue to use EU SCCs via an addendum, which may assist organisations who want to continue with a consistent global approach to transfers.
The ICO has also consulted on a new transfer risk assessment (TRA) process and a tool to assist controllers with Schrems II compliance. Organisations will need to use this with the IDTA. The ICO will publish the final TRA soon - the risk based approach taken in the document and comparison with the EU DPA decisions (e.g. Austria above) will be an important area for businesses to consider.
The pressure for the European Commission and the UK Government to provide greater stability through adequacy decisions remains a key issue for 2022. In March we finally had news of a preliminary agreement between the EU and US on a new Transatlantic Data Privacy Framework. This aims to address Schrems II and re-enable the certification system under the Privacy Shield. This has set a more positive outlook for 2022 though the detail is not published and final approval from the EU is still to come. The UK Government has its own Adequacy Programme and is also engaging with the US on a new adequacy decision.
There is much speculation about the whether the new framework will meet final EU approval and survive future legal challenges. It makes sense to filter out a lot of the noise for now. If you want a balanced overview of the prospects, this excellent blog on Lawfare by Raffaela Wakeman is recommended – it addresses questions about whether Executive Orders and the proposed Data Protection Review Court would be effective in meeting the legal tests from Schrems.
There is now a significant debate about costs and benefits of the global system for international data transfers:
- Is it fit for the digital reality of our interconnected use of systems such as cloud and AI?
- Do we risk a retreat into a greater focus on digital sovereignty and data localisation?
- Are the costs of compliance for transfers under GDPR proportionate to the risks? Does the unrelenting focus on transfers distract businesses from investing in other areas of accountability and risk management related to data protection, for example use of AI?
- Is there an opportunity to create a new system of global trust and accountability for transfers that can proportionately meet public expectations on protections for their data wherever it is located?
These debates have led the New York Times to claim that the ‘The Era of Borderless Data Is Ending’
The recent announcement that the Cross Border Privacy Rule (CBPR) system will be reformed, moved out of APEC and positioned as a global system, is another indication that policy makers are stepping up to the challenge. The key question is whether the new Global CBPR Forum can create a refreshed accountability system that can better inter-operate with the EU and UK GDPR.
Lastly, the ongoing work by the OECD to develop a new instrument on government access to data held by the private sector also points towards an international system with common principles and trust. It can also place a more objective focus on the difference between democratic systems based on the rule of law and authoritarian states’ data surveillance practices.
In the short term organisations will need to continue to invest in their governance for transfers and impact/risk assessments. Ongoing disruption and friction to transfers remains likely but with some more positive medium and longer term prospects now emerging.
Post Covid – learning lessons and stepping back
2022 saw a bigger push towards the ‘new normal’ and learning to live with Covid-19 became more of a reality. But that doesn’t mean all the data protection implications have faded away – there are still important compliance questions ahead.
It’s now important to take a step back and learn lessons. In the UK we have the forthcoming Pubic Inquiry and use of data is referenced in the recommended terms of reference. The experience of how Data Protection law worked during Covid also informed the DCMS consultation on data reform.
Previous posts on the A&O Digital Hub have highlighted challenges and opportunities posed by Covid, data collection and new technologies in the workplace. Whilst collecting health data for employers was not new, Covid posed new questions about lawful bases for processing under Article 9 of the GDPR, and what is necessary and proportionate. This was also explored in the context of employee testing on the Digital Hub last year.
In 2022 employers will need to turn their minds to reviewing the data governance they put in place during 2020 and 2021. There will be work to ensure data retention periods are respected and data collection practices remain proportionate in the new context.
A significant percentage of workplaces are also adopting hybrid working practices for the long term. Various technologies to monitor employee productivity may have been deployed at speed during the pandemic. The data available to monitor performance is becoming highly granular and interactive, combining data from many sources such laptop cameras and keystrokes.
It will be important for employers to revisit Data Protection Impact Assessments conducted during the pandemic, reassessing evidence of effectiveness and necessity. Transparency is also a key question to consider and is a vital part of wider employee communication and engagement. The ICO’s recent consultation on employment practices received evidence of concern on transparency of employee monitoring.
The transformative benefits of Covid vaccines are a lasting positive from the pandemic compared to the many other challenges left for our economies and societies. With the use of AI heading towards mainstream applications in primary healthcare, and in research, there is likely to be significant focus on uses of health data. This will include uses in the public and private sectors and how these sectors work together. Organisations that want to unlock the benefits must take practical and effective steps to assure the public their data is safe and their privacy is respected.
Innovation in privacy enhancing technologies related to health is of rising importance. The use of Trusted Research Environments (TREs) will be crucial to allowing a wider range of research uses.
What is a TRE? The Understanding Patient Data website provides this detailed explanation of how they provide a secure environment for research.
The April 2022 report by Professor Ben Goldacre set out a series of recommendations on how NHS data can be used for research safely and efficiently. The report highlights the risks of current pseudonymisation techniques, data sharing, data release, complex governance and over-reliance on trust through patient engagement. The report has a wide ranging recommendations; a key focus is a practical approach focused on Trusted Research Environments.
NHS data is key to research in both the public and private sectors. The public are particularly concerned about uses of NHS data by the private sector, such as re-use and identification, and linkages to other services. The focus on TREs as a privacy enhancing solution points to an important direction for transforming health data governance in the years ahead.
The last theme I want highlight is the growing importance of children’s privacy. The priority the ICO has placed on the issue is well documented and I was proud to have led the work to develop and introduce the Age Appropriate Design Code. The model of data protection by design and default to protect children online is becoming a practical reality for the first time. The internet was not designed with children in mind and now we are playing catch up. The ICO has set out 15 standards for organisations to follow – covering areas such as default settings being off for profiling, age appropriate application and taking a risk based approach to age assurance (which is more flexible than requiring age verification in all cases). The Code is now in force, and the ICO are monitoring and have written to over 50 businesses.
The lead taken by the ICO’s Code is converging with many initiatives around the globe – new codes are planned in Australia and Canada and in California legislators are considering the Age Appropriate Code Design Act. There have also been important instruments and standards from the United Nations, OECD and IEEE.
The European Data Protection Board (EDPB) also plan to issue guidance in 2022 and in June the European Consumer Protection Cooperation (CPC) Network and the EDPB issued 5 key principles of fair advertising to children. Also illustrating the increasingly joined up approach to regulation in this area.
This coincides with the renewed focus on the harms from user generated content on social media and other platforms. Businesses addressing both children’s privacy and content harms need to have governance in common around managing risks, particularly related to algorithms.
A key trend is the issue of scope - previous approaches to protecting children online have tended to focus on regulating services that are directed at children. Legislators are moving towards a broader approach to cover all services that are ‘likely to be accessed by children’. Businesses will need to document their position against this test, including evidence from usage of their services and research they undertake. This may also need to be reviewed over time. Businesses will also need to review and adapt their impact assessment processes if they are caught by the requirements. A proper understanding of risks will also enable organisations to take proportionate measures that will work in the context of their online service.
For a digitally driven business with a significant percentage of child users a successful approach to protecting children’s privacy online will need to focus on deploying a design approach with UX techniques. This should enable effective protections by default, controls that allow children to explore and learn online as they their understanding develops. This should be underpinned by real time transparency that no-longer relies on the model of the linear privacy notice as the main way to communicate privacy information. The ICO has provided a number additional resources to support businesses in this area.
The road ahead for data protection points towards greater convergence into a wider framework of digital regulation. Some challenges, such as those related to international transfers remain but reforms are starting to address the wider context. This ever changing environment highlights the importance of organisations implementing data protection programmes that can respond to these changes and also sustain for the long term. Continued investment in accountability programmes and governance that can identify and manage risks remains vital.