Data protection | UK Regulatory Outlook November 2022

ICO publishes updated guidance on international data transfer requirements

The UK Information Commissioner's Office (ICO) has published its long-awaited update to its international data transfers guidance, including a new section on transfer risk assessments (TRA) and it has finalised its transfer risk assessment tool.  The guidance provides helpful clarity for organisations on: (a) when a transfer is caught by the UK GDPR Chapter V requirements, therefore requiring either an adequacy decision, appropriate safeguards (such as the ICO International Data Transfer Agreement), or a derogation; (b) when a TRA is required; and (c) how the ICO recommends carrying out transfer impact assessments in a reasonable and proportionate manner.

We are still awaiting further guidance from the ICO on how to use the new International Data Transfer Agreement and UK Addendum to the EU standard contractual clauses (SCCs) that were finalised earlier this year.

UK government finalises South Korea data adequacy decision

On 23 November 2022, the UK government announced that it had laid before Parliament legislation that would enable the free flow of personal data between the UK and South Korea following the completion of its adequacy assessment. The legislation is expected to go into force on 19 December 2022.  From that point, organisations transferring personal data outside of the UK to South Korea will no longer need to put in place appropriate safeguards under the UK GDPR, such as the UK International Data Transfer Agreement.  Notably, this is the UK's first independent adequacy decision under the UK GDPR since leaving the EU.

(Note: The European Commission had previously determined South Korea adequate for transfers from the EEA under the EU GDPR towards the end of 2021. Given this was finalised post-Brexit, this adequacy decision was not recognised under the UK GDPR.  Interestingly, the UK government believes that its adequacy decision is "broader than the EU's deal with South Korea", in part due to the wider scope of personal data caught by the decision.)

Deadline looms for transitioning contracts to new EU SCCs

The date has nearly arrived: from 27 December 2022, organisations will no longer be able to rely on the old version of the EU SCCs for transferring personal data from the EU to third countries under contracts which were concluded before 27 September 2021.  Organisations which have not finalised the phasing out of the old EU SCCs from their contracts in respect of cross-border transfers of personal data under EU GDPR have one month to complete this process.  (Different timelines apply for cross-border transfers of personal data under UK GDPR.)

EDPB consults on new guidance on personal data breach notification and identifying a lead supervisory authority and BRC recommendations

The European Data Protection Board (EDPB) has published updated guidance and recommendations for consultation on the following topics.

Personal data breach notification requirements under the EU GDPR.
The draft updates to the guidance concern the availability – or lack thereof – of the one-stop-shop system for breaches that occur at non-EU based establishments.  This could result in a significant administrative burden on non-EU establishments to, in the event of a personal data breach, notify all data protection authorities in those Member States where affected data subjects reside.   Respondents have until 29 November 2022 to submit their comments on the updates to the EDPB.

Identifying a controller or processor's lead supervisory authority under the EU GDPR.
The draft updates to the guidance address the designation of a lead supervisory authority in the event of a joint controllership arrangement.  Most notably, the draft updates provide that the "notion of main establishment is linked….to a single controller and cannot be extended to a joint controllership situation". Respondents have until 2 December 2022 to submit their comments on the updates to the EDPB.

Recommendations on the Application for Approval and on the elements and principles to be found in controller BCRs.
The draft guidance provides a standard form for the application for approval of Binding Corporates Rules (BCRs) for controllers and clarifies the necessary content of the BCRs as well as broader explanations on the requirements.  According to the EDPB, the purpose of the recommendations is also to bring the existing guidance on BCRs in line with the requirements of the CJEU's Schrems II Respondents have until 17 November 2022 to submit their comments on the recommendations to the EDPB.

ICO publishes new guidance on use of personal data and AI

On 8 November 2022, the ICO published guidance on the appropriate use of artificial intelligence (AI) and personal data protection for organisations. The guidance highlights eight key tips for how organisations can improve the handling of AI and personal information.  The guidance also includes a helpful Frequently Asked Questions section for organisations planning to use AI, including questions on when a data protection impact assessment is necessary and what steps can be taken to avoid bias and discrimination.

ICO updates guidance on direct marketing using live calls and electronic mail

Please see Advertising and marketing.

ICO launches consultation for draft guidance on workers' health information

Please see Environment and immigration.