Data Protection | UK Regulatory Outlook June 2023

Update on UK data protection reform

At the end of May, the UK Information Commissioner's Office (ICO) published its response to the Data Protection and Digital Information (No.2) Bill. The ICO welcomed the Bill, but as expected, recommended that some amendments and clarifications are made to it, including to the definition of personal data. However, the focus was on clarification around key terms and concepts rather than any fundamental changes to the content.

Having passed the second reading and committee stage, the Bill (updated version published on 9 June) remains in almost identical form to where it began (with only a small number of changes), despite the ICO's recommendations. It now stands in the report stage and if it continues to progress as expected, we think it could be adopted either this October, or in the next parliamentary session, ahead of the next general election.

UK and US announce Atlantic Declaration

Earlier this month, the US and UK announced a new economic partnership, entitled the "Atlantic Declaration", which promises to deepen the two governments' economic partnership. As part of the declaration, the US and UK governments have agreed to cooperate across five pillars:

• ensuring US-UK leadership in critical and emerging technologies;
• advancing ever-closer cooperation on our economic security and technology protection toolkits and supply chains;
• partnering on an inclusive and responsible digital transformation;
• building the clean energy economy of the future; and
• further strengthening our alliance across defence, health security and space.

Most notably, the two governments have committed to establish "a U.S.-UK Data Bridge to facilitate data flows" between the UK and the US. Although there has been talk of a data bridge – in essence, an adequacy decision enabling the free flow of personal data from the UK to third countries – between the UK and US since last October, this declaration signifies a huge step forward.  However, exact timings of when the data bridge will be finalised are still unclear.

ICO publishes report on neurotechnology

Following on from a promise set out in its ICO25 agenda, the ICO has published a report into neurotechnology – that being technology which monitors the human brain. The ICO aims to appeal to individuals who want to learn more about neurotechnology from a regulatory perspective. In the report, the ICO explores the possible use cases for neurotechnology which is expected to offer significant benefits to a variety of sectors including health, professional sports, personal wellbeing, marketing and entertainment.

While the ICO acknowledges the many benefits neurotechnology might bring, it also warns against the dangers, including the risk of discriminatory practices and potential for privacy concerns. The report highlights the need for legal safeguards and ethical considerations to protect individuals from harm, as neurotechnology continues to advance and may soon become a part of our daily lives. This report feeds into the ICO's Artificial Intelligence framework as well as its upcoming guidance on workplace surveillance.

Further concerns for generative AI and privacy from the ICO

Following the continued boom in AI discussion, the ICO has called for businesses to address privacy risks when looking to incorporate generative AI (such as ChatGPT) into their business operations.

Stephen Almond, Director of Regulatory Risk at the ICO commented, "[b]usinesses are right to see the opportunity that generative AI offers, whether to create better services for customers or to cut the costs of their services. But they must not be blind to the privacy risks". Further, the ICO states that it is "committed to acting where organisations are not following the law".

ICO urges businesses to start using privacy enhancing technologies

The ICO has published new guidance on privacy enhancing technologies – known as PETs.  Alongside this guidance, the ICO is encouraging organisations to start implementing PETs into their operations when sharing personal data so as to ensure sharing is done "safely, securely and anonymously". 

According to the ICO, these types of technologies "open unprecedented opportunities for organisations to harness the power of personal data through innovative and trustworthy applications, by allowing them to share, link and analyse people’s personal information without having access to it".

EDPB adopts guidelines on calculation of fines and Article 65 consistency mechanism

In an attempt to harmonise the approach to fines under the EU GDPR, the European Data Protection Board (EDPB) adopted guidelines on the calculation of administrative fines. The guidance contains lots of useful information for both supervisory authorities and organisations alike. One particular feature of the guidance is the adoption of a five step methodology for calculating administrative fines under the GDPR. It remains to be seen what tangible impact the guidance will have on fines imposed by authorities but many will hope that the guidance leads to a more transparent and consistent approach.

In addition, the EDPB also adopted guidance on Article 65(1)(a) of the EU GDPR.  Under this provision, the EDPB is required to issue a binding decision where a lead supervisory authority receives objections from other supervisory authorities to a draft enforcement decision. The purpose of Article 65(1)(a) is to ensure consistency in the approach to enforcement of the EU GDPR across Europe, and the guidance seeks to provide more clarity and transparency on how this process operates in practice.