Data law | UK Regulatory Outlook February 2024

EDPB on the notion of main establishment – further erosion of one-stop-shop or merely clarification?

On 13 February 2024, the European Data Protection Board (EDPB) adopted an opinion on the notion of the main establishment of a controller in the EU under Article 4(16)(a) of the General Data Protection Regulation (GDPR). This is a cornerstone of the GDPR's one-stop-shop mechanism as it is key in determining which of the EU data protection authorities (if any) is the lead supervisory authority in cross-border data protection cases.

The EDPB's conclusions include that a controller’s “place of central administration” in the EU can only be considered as a main establishment if it takes decisions on the purposes and means of the relevant data processing, and has the power to have such decisions implemented. As such, if decisions on the relevant processing are taken outside of the EU, there can be no main establishment and the one-stop-shop does not apply.

The EDPB also emphases that the burden of proof in relation to the "place of central administration" ultimately falls on the controller, pointing out that controllers have various ways of making/evidencing that determination, for example, in records of processing and privacy policies/notices.

EDPB's new website auditing tool

The EDPB has launched a new website auditing tool to help analyse website compliance with data protection laws. It is designed to assist both legal and technical auditors at data protection authorities, as well as businesses who would like to test their own websites.

The new tool allows users to prepare, conduct and assess audits directly by simply visiting the website in question. It uses free and open source software and is available for download.

ICO consults on its Enterprise Data Strategy – part of the ICO's 'show, not tell' approach

The UK Information Commissioner's Office (ICO) has launched a consultation to collect views on its draft Enterprise Data Strategy. The strategy sets out how the ICO will use the data it holds to inform and direct its corporate, regulatory and strategic priorities. Examples it gives of how it might make better use of data include:

• Translating data into insights using data visualisation tools; such as, by sharing insights around complaints data to help businesses proactively address potential issues and improve compliance, or using data to explore and evaluate the priority of new work requests (making best use of finite resources).
• Creating an "organisation 360 degree view" – the ICO says that by bringing together, or integrating data it has on an organisation into a single platform, potentially augmenting that with external datasets, and then making it available across the ICO's casework, audit, registrations and regulatory environment teams, it will be better able to make data-led decisions and more swiftly respond to emerging threats.
• Development of an AI-driven solution that is capable of swiftly assessing cookie banners on websites, thereby efficiently identifying and highlighting instances of non-compliance. Sound familiar (see above)?

The strategy document provides a fascinating insight into how the ICO is intending to use data and technology to drive efficiencies in how it regulates, with a view to having a greater impact using the (limited) resources available to it.

The ICO's consultation on its Enterprise Data Strategy closes on 12 March 2024. It intends to publish its final strategy and roadmap in May 2024.

ICO warns organisations to proactively make advertising cookies compliant

The ICO has received a positive response to its call to action, with 38 organisations having changed their cookie banners to be compliant and four having committed to reach compliance within the next month, out of the 53 organisations contacted. Others are working to develop alternative solutions, including contextual advertising and subscription models ("pay or OK").

The ICO is now turning to the rest of the top 100 websites, and then the next 100, and then the 100 after that…

The risk of ICO enforcement action arising from perceived non-compliance with the rules on cookies has increased significantly over the last few months, and will continue to be an area of focus for it through 2024.

Other EU data protection authorities have taken a similar stance on cookie banners; for example, the Dutch data protection authority has very recently issued new guidance on cookies, and has announced that it will intensify its oversight of the use of cookies – for more on this, please see our recent Insight.

New guidance from the ICO on content moderation and data protection 

With the enactment of the UK Online Safety Act 2023 (OSA), which places duties on online platforms to protect online users from harmful content, the ICO has published new guidance to assist online platforms to comply with the UK GDPR and the Data Protection Act 2018 (DPA) when undertaking content moderation. This follows the ICO's call for views on the subject in June 2023 and is the first in a series of products it intends to publish to ensure regulatory consistency between the data protection and online safety regimes.

The guidance looks at what content moderation is and how personal data fits in. It also provides useful clarity for organisations on the appropriate lawful basis for processing personal data for content moderation activities, how to ensure compliance with data protection law principles (such as transparency and data minimisation), and the application of automated decision-making under Article 22 of the GDPR. This guidance forms part of the ICO’s ongoing collaboration with Ofcom on data protection and online safety technologies. For more information on online safety regulatory developments, please consult our Insights.

Organisations that carry out content moderation, whether for compliance with new online safety laws or otherwise, should consider the ICO's guidance alongside their own data protection practices.

Responsible sharing – ICO announces campaign on sharing data to protect children

The ICO has announced a campaign titled "Think. Check. Share." which aims to show how data protection law can help organisations share personal information responsibly when required to safeguard children and young people.

As part of the campaign, the ICO has developed a toolkit of free resources to promote responsible data sharing, which includes posters, videos, infographics and content for social media.

On a similar theme, the ICO published a blog in December 2023 on data sharing within the housing sector, in which it sought to "bust some data sharing myths that might mistakenly prevent an organisation from safeguarding its residents".

The ICO is keen to emphasise that data protection law provides a framework for making decisions about sharing data appropriately; it is not a barrier to sharing information when needed.

House of Lords Committee on the Constitution publishes report on DPDI Bill

The Data Protection and Digital Information Bill (DPDI Bill) is currently at the committee stage in the House of Lords having previously passed through the House of Commons and two readings in the Lords.

The Lords' Committee has now published its report on the DPDI Bill, in which it has raised a number of comments, including on the following issues:

• the breadth of the secretary of state's power of discretion to determine and vary the conditions under which personal data can be processed;
• the broadening of the basis for refusal of a data access request on a "vexatious or excessive" request;.
• inadequate definition of key terms; and
• lack of information regarding the removal of "proportionality" requirements when assessing the impact of "high risk processing".

The DPDI Bill is expected to become law in the next few months and businesses should be keeping an eye on its progress. Businesses should consider what changes will be needed, or could be made, to their internal processes and procedures (such as records of processing) to ensure ongoing compliance or, potentially, to benefit from the changes being introduced.

For further information about the content and progress of the bill, please see our January edition.

ICO urges all app developers to prioritise privacy

Following the ICO's review of period and fertility apps last year, the ICO is reminding all app developers about the importance of protecting users' personal information. While no serious compliance issues were found in this review, the ICO has highlighted that transparency, valid consent, establishing a correct lawful basis and being accountable are four key pillars to ensure compliance and prioritise users' privacy.

App developers should make sure that data protection and privacy considerations are taken into account at the very early stages of the app design process and throughout it, both to ensure compliance and to minimise the risk of difficult (and costly) development/design changes having to be made once the app is operational.

ICO publishes second annual Tech Horizons Report

The ICO has announced its second annual Tech Horizons Report, in which it examines eight emerging technologies – including neurotechnologies, immersive worlds, drones and personalised AI – for possible data protection implications. The ICO's aim for the report is to explore how these technologies could potentially transform lives while nonetheless addressing any privacy risks.

We can expect the ICO to continue to focus on the implementation and use of these emerging/developing technologies over the next year and beyond.