Data protection | UK Regulatory Outlook September 2023

UK – US Data Bridge  

The UK government has announced that the UK Extension to the EU-US Data Privacy Framework has now been established, enabling businesses to start using this from 12 October 2023.  Under the new data bridge, the UK will benefit from similar arrangements to the recently approved EU-US Privacy Framework. For details on the EU-US Data Privacy Framework, see our previous Insight.

This update has been highly anticipated and will come as welcome news to organisations. It will help facilitate business relationships between the UK and the US, as personal data which is subject to the UK GDPR can be transferred to organisations in the US that are certified under the framework, without needing to rely on an alternative data transfer mechanism (such as separate contractual obligations).

For more, see our Insight.

ICO and CMA call out harmful online design which encourages consumers to hand over personal data

The UK Information Commissioner's Office (ICO) and UK Competition and Markets Authority (CMA) are calling for businesses to stop using harmful website designs tools (such as dark patterns) that can influence a consumer's decision and online behaviour about the way their personal data is used, and trick them into giving up more data than they would like. These design tools include privacy-intrusive default settings and pop-ups that make it harder to refuse cookies than accept them.

The ICO and CMA have explained that these practices can infringe fairness and transparency obligations under data protection law, and they have the potential to affect competition in certain markets where firms rely on access to personal data to provide their products and services.

The ICO has confirmed that if it does not see improvements in the use of what it deems to be harmful online choice architecture (OCA) undermining consumers' control over their personal data, it will be taking enforcement action. In particular, it has said that it will be assessing the cookie-banners of the most frequently used websites in the UK and taking action where harmful OCA is affecting consumers. The CMA will continue to ensure that misleading practices such as these are tackled from all angles, including from a consumer and competition law perspective.

Please read our Insight for more information on this development.

ICO launches public consultation on guidance on biometric data

On 18 August 2023, the ICO launched a public consultation on the first phase of its draft biometric data guidance. The use of "biometric recognition" systems, being the use of biometric data for identification and verification (such as facial ID verification), has expanded significantly in recent years, particularly in certain sectors, such as banking and finance, entertainment and retail. This guidance will be welcome news for organisations grappling with understanding the requirements of the UK GDPR and applying them in practice.

The draft guidance covers a number of key points including the definition of biometric data, the way that biometric data is used and processed (including in biometric recognition systems), and the applicable data protection requirements.

The first phase of this guidance has been published for public consultation (ending 20 October 2023), and the second phase will include a call for evidence early next year.

ICO issues a joint statement on data scraping and data protection

The ICO and other international data protection and privacy authorities have issued a joint statement denouncing the practice of unlawful data scraping taking place on social media sites (and on other websites that host publicly accessible personal data).

Data scraping is an automated way to import large amounts of information from a website into a private database, which the ICO sees as a potential harm to web users. This includes the risk that this data will be used in cyberattacks or for identity fraud. 

The statement calls for social media companies, and other operators of websites that host publicly accessible personal data, to put in place additional safeguards against this practice, and a warning to such organisations that mass data scraping from their platforms and websites may need to be reported to the ICO as a personal data breach.

ICO to review period and fertility tracking apps

The ICO has announced that it is reviewing how fertility apps process users' personal data following user concerns over data security and transparency.

Over half of people who used the apps believed they had noticed an increase in baby or fertility-related adverts since signing up, which some users found distressing. The ICO is calling people to come forward and share their experiences through a survey, and have contacted relevant apps to find out information about the way in which data is processed and used.

This review will focus on whether there is the potential for harm and negative impact for users, such as "unnecessarily complicated and confusing privacy policies, leaving users in the dark as to what they have consented to, apps requesting or storing unnecessary volumes of data, or users receiving upsetting targeted advertising that they did not sign up to".

ICO signals new guidance on data protection and Internet of Things devices

In its response to a recent report by Which? relating to data processing in the context of smart devices, the ICO has made it clear that it expects organisations to be transparent with users about the data they collect and how it is used and shared. It has also announced that it is developing guidance on data protection and Internet of Things devices and will take action where organisations are not complying with data protection requirements.

Digital Regulation Cooperation Forum blog on building capabilities to assess algorithmic systems

The rise of algorithmic systems have had a massive impact on most sectors and companies from social media, generative artificial intelligence (AI) to facial recognition systems and algorithmic trading.

Regulators of the Digital Regulation Cooperation Forum (DRCF) (which include the ICO, the CMA, the Office of Communications (Ofcom) and the Financial Conduct Authority (FCA)) have issued a new blog on building capabilities to assess algorithmic systems.

According to the blog, the DRCF want to ensure that algorithmic systems meet good governance standards. To achieve this, each of the regulators have been investing in building skilled teams to guide regulatory policy and to enable them to carry out effective audits and investigations into these systems to ensure compliance with applicable UK law (such as data protection and consumer laws).

In addition, the DRCF is conducting research to understand how specialist auditing firms are developing algorithmic auditing services that focus on areas such as mitigating bias and improving fairness, creating or improving transparency, and providing explainability. The purpose being to inform its own approach and for potential future collaboration.

ICO updates guidance on information about workers' health  

Please see Employment and immigration.