Data Protection | UK Regulatory Outlook January 2023

This year is shaping up already to be a busy year in the world of data protection. For this January edition of our Regulatory Outlook, Osborne Clarke's data protection experts have provided an overview of key data protection developments and predictions for 2023, the ICO's priorities for this year, as well as broader data regulation trends. 

To stay up-to-date with these developments, please keep an eye out for future editions of our Regulatory Outlook, our Dipping into Data series of webinars and our Annual Data Event which will return later this year. 

Hot data protection topics for 2023

UK data protection reform

The elephant in the room since the UK GDPR (General Data Protection Regulation) became its own distinct regime from the EU GDPR: how far will the UK GDPR diverge from the European framework?

2023 may be the year where the answer to this question starts to become a little clearer. The Data Protection and Digital Information Bill, which sets out the current proposal to reform UK data protection law, was stalled towards the end of last year but the latest suggestion from the government is that it will soon go out for consultation.

While we anticipate that the bill will not continue unamended, it seems unlikely to change too significantly, particularly in light of the need for the UK to maintain its adequacy decision with the EU (which enables the free flow of personal data from the EU to the UK).

International data transfers

2022 ended with the UK's first independent adequacy decision, granted in respect of South Korea, and 2023 has all of the right ingredients to be a blockbuster year for more adequacy decisions from the UK government. Dubai International Finance Centre, Singapore, Australia and India are a few of the names on the government's target-list.

However, the most anticipated development this year is the European Commission's third attempt at an EU-US adequacy decision, and the expectation that the UK will put in place a UK-US equivalent (see more in our Insight). The European Commission published the draft adequacy decision at the end of last year, and they now await input from the European Data Protection Board and Member State representatives. It seems inevitable that even if the text is approved, it will not be without challenge from Mr Schrems' privacy activity group, NOYB.

Data transfer contract clauses

Many businesses are breathing a well-earned sigh of relief following the completion of transitioning contracts to the new EU standard contractual clauses (SCCs) ahead of the December 2022 deadline. We can expect 2023 will see the start of a similar exercise ahead of the March 2024 deadline for updating contracts to the new UK International Data Transfer Agreement or UK Addendum (see here for more information).

We also still expect further news from the European Commission on another set of EU SCCs to cover a scenario where the data importer is itself directly caught by the EU GDPR, and, in the UK, further guidance from the Information Commissioner's Office (ICO) on how to use the UK International Data Transfer Agreement and UK Addendum.

Online advertising

Towards the end of last year, the ICO published updated guidance on direct marketing, which included additional guidance for organisations on compliance with data protection and the Privacy and Electronic Communications Regulations (PECR) requirements in the context of online advertising (albeit the text was far lighter than that proposed in its draft Direct Marketing Code of Practice, which has been put on hold).
However, the ICO has otherwise gone seemingly quiet on its wider investigation into the ad tech industry. That said, online advertising appears to be a far more pressing issue for the European regulators and 2023 has already started with regulatory enforcement from the Irish Data Protection Commissioner on this topic, as well as further developments from the Belgium data protection authority on the IAB's Transparency and Consent Framework.

Certifications

As previously reported, last year saw the first GDPR certification scheme called "Europrivacy" receive formal approval. Europrivacy enables organisations to assess and certify the compliance of their data processing with the EU GDPR and complementary national data protection regulations. Organisations with certified data processing activities can identify and reduce their risks and demonstrate their compliance to help enhance their business reputation and improve access to markets. Osborne Clarke is an official partner for the scheme and our team of experts can assist with your compliance – see more information. As the benefit of such initiatives start to bear fruit, we expect many more organisations to seek accreditation and the further organic growth of industry codes of conduct.

ICO priorities for 2023

ICO25 plan

2022 saw the ICO publish the "ICO25" plan which established its targets for the next few years. One key focus to expect in 2023 is enforcement, with the ICO promising to safeguard and empower individuals by "upholding our information rights and enabling us all to all confidently contribute to a thriving society and sustainable economy".

Following an "evidence led" approach, the ICO has promised to make interventions in a timely and effective manner, also publishing specific targets such as to "assess and respond to 80% of data protection complaints within 90 days".

ICO guidance

2023 promises to be another year of new and updated ICO guidance. As part of its ICO25 plan, it has promised to publish a "guidance pipeline", at which point it will become clear what more we can expect from the ICO.

The most anticipated guidance is likely to be the clause-by-clause guidance on how to use the International Data Transfer Agreement and UK Addendum. Further guidance which can be expected to hit the shelves will cover topics such as anonymisation and privacy enhancing tools, and data subject access requests.

Enforcement predictions

The ICO is likely to continue its focus on certain areas for enforcement. This is commonly taken to mean "fines" but this not always the case – the ICO handed out eight reprimands in the first half of 2022 and 20 in the second half and the trend is for increasing publicity of its enforcement action, so expect more enforcement headlines in 2023.

What will be top of the ICO's naughty list? We expect PECR violations and security breaches to remain at or near the top of the list, but the ICO's 2023 plan sets out that children's privacy and the impact of technology on vulnerable groups will also be an area of focus for the ICO's investigation work in 2023.

Data regulation – beyond data protection in 2023

Data privacy is a key pillar of the data regulation world, but it could be eclipsed by the wave of other data regulation set to tantalise lawyers through 2023. With the advent of the data economy, the regulators have set their horizons beyond just data privacy.

Most notably, the EU has some significant data-related legislation in force or on its way (the Data Governance Act, Data Act, Digital Services Act, Digital Markets Act and more…) and we expect that they will, in some guise, be reflected and influence the approach taken in the UK. However, the current trajectory for the UK in the short term is quite different, with an emphasis on reducing the administrative burden on companies and increasing flexibility – the antithesis to more regulation – but with a similar aim to the EU of improving data sharing and access to data. In any event, there will be lots to keep data teams busy.

To hear more from our experts on this topic, you can register for our upcoming Dipping into Data webinar on "Beyond privacy – a new era for UK and EU data regulation" on 27 February 2023