Data protection | UK Regulatory Outlook February 2023

Update on the ICO's enforcement approach for communication service providers

The ICO published an update on 2 February 2023 to clarify its position on enforcing Regulation 5A of the Privacy and Electronic Communications Regulations 2003, following the removal of a prior statement on the topic which it published in January.

Under Regulation 5A, public electronic communication service providers (CSPs) are required to notify the ICO within 24 hours of becoming aware of a personal data breach. 

In line with the ICO's three year strategic plan on reducing the data protection compliance burden on organisations, the ICO confirms that it will focus its resources on investigations where significant harm to individuals is more likely. The ICO therefore detailed a more proportionate enforcement approach for Regulation 5A, most notably the "ICO will use its discretion not to take enforcement action against CSPs under Regulation 5C PECR if they fail to comply with the 24-hour notification requirement in relation to such incidents, provided that they are still notified to the ICO within 72 hours of the breach". 

UK PM overhauls government departments, including focus on innovation and tech

Shortly after his 100th day in office, the UK prime minister, Rishi Sunak, announced the creation of four new government departments, including a new Department for Science, Innovation and Technology (DSIT). One key consequence is the transfer of responsibility for digital and data policy from the Department for Culture, Media and Sport (DCMS) to the new DSIT.

The Research and Insights Director for IAPP (the International Association of Privacy Professionals), Joe Jones, who also previously worked at the DCMS as deputy director of International Data Transfers, said the creation of DSIT "could pave the way for advances for the UK government's work to reform the GDPR," and secure new international "data bridges". It remains to be seen how the reshuffle may – or may not – impact the progress or substance of the Data Protection and Digital Information Bill (which we identified as a "Hot Topic" for 2023 in last month's Regulatory Outlook).

European Parliament Committee adopts draft Data Act

In a step forward for the EU Data Act earlier this month, the European Parliament's Industry, Research and Energy Committee adopted the draft "Regulation on Harmonised Rules on Fair Access to and Use of Data", which European legislators hope will help to innovate the use of data in the EU. Among other issues, the Committee sought to focus on strengthening the Data Act's protection of trade secrets and to set stricter conditions on business-to-government data requests. 

The draft Data Act is set to be put to a vote by the full European Parliament during the 13-16 March 2023 plenary session.  

New ICO guidance for game designers on how to comply with the Children's Code 

Following a push by the UK government last year to encourage organisations to focus on safeguarding children's data privacy, the ICO has issued a series of recommendations this month to help game developers better understand what steps to take to comply with the ICO's Children's Code.

Commenting on these recommendations, Leanne Doherty, Group Manager at the ICO, said, "Gaming plays a central part in so many young people's lives, and the community and interaction around games can be a child's first steps into the digital world. We want those first experiences to be positive ones, and the recommendations we've published today are there to support game developers".

The recommendations are based on the ICO's findings following a series of voluntary audits by the ICO within the video gaming industry.

EDPB final report on cookie consent dark patterns

The European Data Protection Board has adopted a final report on its Cookie Banner Task Force outlining the EU authorities' opinion on the design and characteristics of cookie banners. The taskforce was launched in September 2021 following a number of complaints from the NOYB-European Centre for Digital Rights (a non-governmental organisation co-founded by privacy activist, Max Schrems) concerning these issues. The final report is the result of coordinated effort by the European data protection authorities (DPAs) led by France's CNIL and the campaign group.

Given the number of complaints and countries affected as well as the high importance of the matter for the users' privacy, the EU DPAs agreed on a harmonised position in relation to handling complaints on cookie banners. The main highlights of the report are:

• The majority of authorities agreed that the lack of an option for a user to reject or not consent to cookies that would be as easy as to accept them is a breach of the ePrivacy Directive.
• The taskforce confirmed that pre-ticked boxes to opt-in do not constitute a valid consent under the General Data Protection Regulation or the ePrivacy Directive.
• In terms of cookie banner design, the information should enable users to easily understand what they are consenting to and how to do so.
• In terms of deceptive colours and contrast, the DPAs concluded that they cannot set a standard design for colour or contrast (for example, a highlighted button to "accept all" that leads the user to choose this option) of cookie banners and that these situations should be reviewed on a case-by-case basis.

MEPs urge European Commission to reject EU-US adequacy

In a potential setback for the proposed EU-US adequacy decision, the European Parliament Committee on Civil Liberties, Justice and Home Affairs (Committee) has released a draft opinion which does not support the European Commission's decision to extend an adequacy decision based on the proposed EU-US Data Privacy Framework.

The Committee argue that the proposed EU-US Data Privacy Framework "fails to create actual equivalence in the level of protection" offered under the EU GDPR and that the European Commission should instead continue negotiations with the US for a mechanism which does ensure equivalence. It is not yet clear how influential this draft opinion will be on the European Commission. 

CJEU issues decision in DPO conflict case

Earlier this month the Court of Justice of the EU (CJEU) issued a preliminary ruling in the case between X-Fab Dresden and its former Data Protection Officer (DPO). 

The ruling concluded that, based on Article 38 of the EU GDPR, DPOs can maintain other tasks and duties within their role, but only if they do not result in a conflict of interest (as determined by a national court on a case-by-case basis). The CJEU affirmed that DPOs should, "be in a position to perform their duties and tasks in an independent manner" and "cannot be entrusted with tasks or duties which would result in him or her determining the objectives and methods of processing personal data on the part of the controller or its processor".

This is an area where EU and UK GDPR may soon diverge. The CJEU has reaffirmed the requirement of independence of a DPO under the EU GDPR; in contrast the UK government is seeking to move away from this position under its planned reforms to UK data protection law (under the still draft Data Protection and Digital Information Bill, which we identified as a "Hot Topic" for 2023 in last month's Regulatory Outlook).  

European Commission to propose new regulation on cross-border enforcement of the GDPR

According to the European Commission's website, it is planning to propose a new regulation which will "streamline cooperation between national data protection authorities when enforcing the General Data Protection Regulation (GDPR) in cross-border cases" in the second quarter of this year.  

At this stage, there is limited information on the proposal itself, but it is likely to be a response to the growing criticism from privacy activists and campaigners of the lack of enforcement from European data protection regulators.