Data protection | UK Regulatory Outlook November 2023

UK King's Speech announces Data Protection and Digital Information Bill

On 8 November, the UK Parliament announced that it would be carrying over the Data Protection and Digital Information (No. 2) Bill and reintroducing it in the 2023-2024 session; re-named the Data Protection and Digital Information Bill. The bill is intended to simplify and modernise the UK's data protection framework, providing greater flexibility to UK businesses in their compliance processes. For more information, please see our Insight.

The bill also sets out enabling legislation for smart data schemes in the UK; the recent consultation by the UK's Department for Science, Innovation and Technology (DSIT) on "Open Communications: a Smart Data scheme for the UK telecoms market" is a potential example of such a scheme.

UK government publishes IDTA and EU SCC Addendum evaluation

DSIT published the first phase of its evaluation into the implementation of the UK International Data Transfer Agreement (IDTA) and the Addendum to the European Commission's Standard Contractual Clauses (EU SCC Addendum). The evaluation assessed the changes from the European Commission's Standard Contractual Clauses to the IDTA and EU SCC Addendum and how they had been implemented by businesses.

The evaluation found that most businesses (especially SMEs) were at risk of incorrectly implementing both instruments due to a lack of awareness and reliance on larger suppliers for data protection compliance. The evaluation noted that the UK Information Commissioner's Office (ICO) should be raising awareness of the IDTA and EU SCC Addendum, as well as monitoring its implementation and evaluating its wider impact and uptake. A second phase of research will be conducted after the end of the transitional period.

The ICO has been promising guidance for organisations on how to use the IDTA and EU SCC Addendum for some time, but it has been subject to continuous delays and has seemingly been pushed down the ICO's priority list. It will be interesting to see whether these comments from DSIT push the ICO to finalise this guidance.  

ICO to appeal Clearview AI decision

The UK Information Commissioner's Office (ICO) seeks permission to appeal the Clearview AI decision of the First Tier Tribunal (Tribunal), in which the tribunal overturned the ICO's Enforcement Notice and Monetary Penalty Notice issued to Clearview AI for its use of UK individuals' images to create an online global facial recognition database in breach of UK data protection law.

As reported in our previous Regulatory Outlook, the tribunal held that although this processing amounted to monitoring of UK data subjects, Clearview AI only provided its services to non-UK and EU law enforcement and national security agencies and, as such, their processing was beyond the material scope of the UK General Data Protection Regulation (even if not the territorial scope of the UK GDPR). It decided that the ICO did not have jurisdiction to issue the penalty, and Clearview AI's appeal was allowed.

The ICO considers that the tribunal incorrectly interpreted the law in finding that Clearview AI's activities were not subject to UK data protection law on the basis that it provides its services to foreign law agencies. The ICO is arguing that due to Clearview AI not processing data for foreign law enforcement purposes itself, it should not be outside of the scope of UK data protection law (and the ICO's jurisdiction).

ICO warns UK's top websites to make cookie changes

On 21 November, the ICO issued a statement confirming that it has warned some of the UK's top websites that they face enforcement action if they do not make changes to comply with data protection law. Specifically, the ICO has requested that those websites make it as easy for users to "Reject All" advertising cookies as it is to "Accept All".

Those websites have 30 days within which to comply. The ICO will provide an update on this work in January, including details of companies that have not addressed its concerns. This update from the ICO follows comments made by it, together with the Competition and Markets Authority, on the use of dark patterns on websites and other online services (such as apps) (see our Insight).

EU Parliament approves Data Act

The European Parliament has adopted the EU Data Act, which was initially proposed in February 2022 by the European Commission as part of the EU Data Strategy package.

This new legislation aims to facilitate the voluntary sharing of data by individuals and businesses, in particular in the context of connected products or related services. The Data Act is also aimed at making better use of industrial data, enabling businesses to monetise and generate value through their data. It is expected to contribute to the development and use of artificial intelligence in particular, by enabling increasing amounts of data utilisation and sharing.

The Data Act applies to product manufacturers and suppliers of related services, data holders that make data available to EU recipients as well as public sector bodies. Personal and non-personal data is covered, with rights of access for B2B and B2C data sharing being tackled.

The Data Act still needs to receive formal approval from the European Council, before it can finally become law.

EDPB adopts draft guidance on the scope of cookie requirements

The European Data Protection Board (EDPB) has issued draft guidance on the technical scope of the cookie requirements within the ePrivacy Directive, in order to "remove ambiguities related to the application of the said provisions to emerging tracking tools".

The guidance clarifies the core elements that determine whether or not tracking tools fall within scope of the requirements, such as the terms "information", "terminal equipment of a subscriber or user", "gaining access" and "stored information and storage".

The EDPB also applies this to a number of "common techniques" (beyond cookies), such as URL and pixel tracking and Unique Identifiers, clarifying that many of these alternative cookie solutions do still fall within the scope of the ePrivacy Directive.

The guidance is open for consultation, running until 28 December 2023.

EDPB picks topic for 2024 Coordinated Action

The European Data Protection Board (EDPB) has selected the topic for its third coordinated enforcement action during its October plenary, concerning the implementation of the right of access by controllers. This action will be launched in 2024, which will enable data protection authorities to prioritise this topic, generating deeper insight and implementing changes at the national level.

The previous topic selected by the EDPB was the designation and position of data protection officers (DPO). It has also announced that it expects to publish in the coming months its report on the outcome of this coordinated action.

UK Court of Appeal rules ICO acted lawfully in subject access request complaint litigation

The Court of Appeal has recently published its judgment in which it upheld an earlier High Court decision  to dismiss a claim by an individual that the ICO had unlawfully failed to determine his complaint about a subject access request made to an organisation.

An important question considered by the Court of Appeal was the extent to which the ICO has to go in investigating and reaching decisions on the merits of every complaint. The Court of Appeal confirmed the ICO's broad discretion in its investigation processes. It determined that the ICO is entitled to reach and express a view on a complaint, without necessarily determining whether there has been an infringement.

Themes from the International Association of Privacy Professionals (IAPP) Europe Congress 2023

Members of Osborne Clarke's international data team attended the IAPP Europe Data Protection Congress 2023 in Brussels in mid-November. There were a couple of key themes coming out of that congress.

Firstly, speakers from the European Parliament, regulators and business all emphasised the significance of data protection and privacy issues in the development and use of artificial intelligence (AI), and the role that data protection and privacy teams have in supporting or leading AI governance within their organisations.  

Secondly, the intersection of data protection with other areas of regulation – including competition, digital regulation and (potential) AI regulation – was emphasised throughout the congress. It has always been important to consider data protection and privacy issues within the broader context in which they arise, bearing in mind the wider commercial and legal framework. That is increasingly important as the volume of that intersecting/overlapping regulation (in both the UK and the EU) is on the rise.

India’s new Digital Personal Data Protection Act 2023 (DPDP Act)

India has been preparing for a privacy overhaul since August 11, 2023. The DPDP Act, when operational, will become the primary legislation governing the processing and regulation of personal data in India. This is expected by the current year end.

This law has wide-ranging implication for controllers, collectors and processors of personal data, with respect to the provision of a notice for obtaining express consent, restrictions on the processing of children’s data, and implementation of an effective grievance redressal (among others). Unlike the GDPR, the DPDP Act is more "principle-based", with detailed rules for implementation to be released by the end of this calendar year.