Data protection | UK Regulatory Outlook October 2023

Dipping into Data – Webinar Series

Our Dipping into Data series continues in November. Following this month's webinar on the ICO's Data Protection Practitioners' Conference, we are looking forward to diving into a keenly debated issue of the moment: cross-border data transfers. (You can register to attend the session using this link.)

ICO issues opinion on government assessment of UK extension to EU-US DPF

The Information Commissioner's Office (ICO) has issued its anticipated opinion on the Data Protection (Adequacy) (USA) Regulations 2023 for the UK extension to the EU-US Data Privacy Framework.

The ICO considered that the extension was not wholly without risks to UK data subjects. However, it was reasonable for the secretary of state to conclude that the UK extension provided an adequate level of protection for UK data subjects.

In addition to monitoring developments in US legislation, the ICO recommended that the secretary of state should pay particular attention to the following areas given the lack of substantially similar legal protections in the US:

• criminal offence data, in particular in relation to the UK's Rehabilitation of Offenders Act 1974 for which there is no US equivalent;
• right of protection from automated processing; and
• the right to be forgotten or an unconditional right to withdraw consent.

Top five Data Protection Practitioner's Conference takeaways

Following the ICO Data Protection Practitioner's Conference (DPPC) in London, here are five of the top insights we took away from the event.

• Data Protection and Digital Information (DPDI) Bill. The DPDI Bill is expected to become law during the course of next year. The ICO considers the bill as a reformed, trusted and pro-growth data rights regime, which will provide additional clarity and flexibility for businesses to help them reduce costs in complying with their data protection obligations. Key topics discussed included the implementation of the role of "responsible person" as a replacement to the current data protection officer role and ways in which the ICO will support businesses to navigate the DPDI Bill through guidance, communication and engagement with the wider business community.
   
• Cookies and 'dark patterns'. The ICO has made it clear that non-compliant use of cookies remains an important focus of its enforcement strategy; in particular, those that make use of "dark patterns" and deceptive design technology. The ICO made it clear that its severity of enforcement will depend on an organisation's engagement following an ICO warning.
   
• AI revolution. The ICO has acknowledged the major changes that AI represents and that it will update its AI toolkit to support companies putting in place a framework to use AI safely. The ICO is always reviewing its guidance on AI, most recently on fairness of AI systems and will continue to support businesses through this change. For more on AI, please see Artificial Intelligence.
   
• Data transfer and sharing. The DPPC touched upon the importance of using privacy enhancing technologies (see the ICO's guidance on privacy-enhancing technologies) and provided practical guidance for safeguarding data transfers. This includes making sure that a transfer risk assessment is appropriately carried out and an International Data Transfer Agreement is put in place. The ICO mentioned that additional draft guidance is to be released in light of the US-UK Data Bridge to help companies comply with good data governance practices.
   
• Cybersecurity. The DPPC focused on cybersecurity and how to help businesses minimise the risk of data breaches. Most cybersecurity issues come from negligent internal governance and businesses need to maintain a secure supply chain and make cybersecurity a priority. Suggested ways to raise awareness included board level briefings and executive engagement.

ICO consultation on draft Data Protection Fining Guidance

The ICO is consulting on new draft guidance on the issuing of penalty notices and calculating of fines under UK data protection legislation. The draft guidance explains the legal framework that gives the ICO the power to impose fines and how they are calculated, as well as the circumstances in which the ICO would consider it appropriate to issue a penalty notice.

The consultation will run until the 27 November 2023 and will then, once finalised, replace the parts of the Regulatory Action Policy which relate to the ICO’s approach to imposing and calculating fines.

The online survey can be accessed here.

UK tribunal overturns ICO enforcement and penalty notices issued against Clearview AI

In October, the First-tier Tribunal issued a decision overturning the ICO Enforcement Notice and Monetary Penalty Notice issued to Clearview AI Inc. in May 2022. This penalty was issued for Clearview's use of UK individuals' images to create an online global facial recognition database. The ICO argued this was in violation of UK data protection laws, as the company did not inform the individuals whose images it collected that their data was being processed.

The tribunal held that although this processing amounted to monitoring of UK data subjects, Clearview AI only provided its services to non-UK and EU law enforcement and national security agencies and, as such, their processing was beyond the material scope of the UK General Data Protection Regulation (even if not the territorial scope of the UK GDPR). It decided that the ICO did not have jurisdiction to issue the Penalty, and Clearview AI's appeal was allowed.