Data protection | UK Regulatory Outlook October 2022
Published on 26th Oct 2022
EDPB approves first European Data Protection seal | ICO children's code – one year on | ICO takes action against organisations failing to respond to information access requests
EDPB approves first European Data Protection seal
The European Data Protection Board (EDPB) had adopted an opinion on the approval by the board of the Europrivacy certification criteria submitted by the Luxembourg data protection authority. This opinion marks the approval of the very first European Data Protection seal by the EDPB.
Under the certification scheme, Europrivacy enables organisations to assess and certify the compliance of their data processing with the General Data Protection Regulation (GDPR) and complementary national data protection regulations. Organisations with certified data processing activities can identify and reduce their risks and demonstrate their compliance to help enhance their business reputation and improve access to markets.
Osborne Clarke has been selected and qualified as a Europrivacy official partner, meaning we can support and prepare businesses to obtain EDPB authorised certification of the conformity of their data processing activities with the GDPR. For more information on the certification scheme and how Osborne Clarke can help, please see our separate webpage.
ICO children's code – one year on
It has been one year since the UK Information Commissioner's Office's (ICO) Age Appropriate Design Code of Practice (or children's code) came into effect requiring online service providers to review and adapt their products and services to protect children's data. (For more information on the children's code, see our previous Insight).
One year on, we are now starting to see the ICO move to enforcement, which was made clear in its announcement last month that it intends to fine a large social media provider £27 million for allegedly "failing to protect children's privacy". At this stage, this is only a notice of intent to fine, meaning the ICO's findings are provisional.
Along with this announcement, the ICO has stated that it is "currently looking into how over 50 different online services are conforming with the children's code and have six on-going investigations looking into companies providing digital services who haven't, in our initial view, taken their responsibilities around child safety seriously enough". Accordingly, we consider it likely that we will see additional enforcement action in the coming months or years.
In parallel, the ICO has also announced that it is evaluating the code's impact and it is running a public consultation on the code which ends on Friday 11 November 2022.
ICO takes action against organisations failing to respond to information access requests
The ICO has taken action against several high-profile organisations who failed to respond to a subject access request (SAR). Their failure to respond within the required time frame of one to three months has resulted in regulatory action which includes reprimands and practice recommendations issued under the Freedom of Information Act 2000.
Information Commissioner, John Edwards, commented on these failings, saying, "SARs and requests made under FOIA are fundamental rights and are an essential gateway to accessing other rights. Being able to ask an organisation 'what information do you hold on me?' and 'how is it being used?' provides transparency and accountability and allows the person to ask for changes to be made or even for the information to be deleted".
As identified in the ICO's ICO25 strategic plan (which we reported on in our September Regulatory Outlook), the ICO plans to create a SAR tool to help data subjects request their personal data and controllers respond to these requests. Once this tool is finalised, organisations may need to be prepared for a possible increase in SARs from data subjects based in the UK.
More uncertainty for organisations on UK data protection framework
As explained in our September Regulatory Outlook, progress on the Data Protection and Information Bill, which was set to make changes to the UK data protection regime, had been paused in Parliament to give the ministers appointed by prime minister, Liz Truss, more time to consider the legislation.
Subsequently, at the Conservative party conference, the new Secretary of State for Digital, Culture, Media and Sport, Michelle Donelan, gave a speech suggesting an intent to replace the GDPR in the UK. In particular, she noted that "…we will be replacing GDPR with our own business- and consumer friendly British data protection system." She further claimed "that it will be simpler and clearer for businesses to navigate".
This announcement further called into question the future of the draft Data Protection and Digital Information Bill, at least in its current form, leaving the position uncertain in relation to future changes to the UK's data protection regime.
Our data protection experts are following these developments closely and will continue to provide updates on developments.
Catalogue retailer fined £1.48 million for breaking data protection and electronic marketing laws
The ICO has fined Easylife Ltd £1,350,000 for unlawfully using the personal information of 145,000 customers. In obtaining this data, Easylife used the information to predict the customers' medical conditions allowing them to target them with health-related products. As well as this, the company was fined £130,000 for making over one million "predatory" direct marketing calls. More information on the enforcement action can be found on the ICO's website.
President Biden signs executive order paving the way for a EU-US Privacy Framework and UK-US adequacy agreement
On 7 October 2022, US president, Joe Biden, signed an Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities, paving the way for new adequacy decisions that would enable the free flow of personal data between the EU-US and UK-US. This will be welcome news for organisations that have been continuing to grapple with the fall-out of the European Court of Justice's decision in Schrems II that led to the invalidation of the previous EU-US Privacy Shield framework. For more information on this development, please read our Insight.
Our data protection team will also be delivering further updates on international data transfer requirements under the UK data protection regime in our next Dipping into Data webinar on 15 November 2022. If you would like to attend, you can register for the webinar here.
ICO launches second consultation on the draft data protection and journalism code
On 21 September 2022, the ICO launched a second consultation on its draft data protection and journalism code. The code, once finalised, will be a statutory code intended to provide practical guidance to the media industry and journalists on their compliance with UK data protection law.
The deadline to submit feedback on the consultation is 16 November 2022.
ICO finalises guidance on research provisions in the UK GDPR and DPA 2018
The purpose of the guidance is to provide organisations with greater clarity on how they can process personal data for research purposes in conformity with UK data protection law, and help change the rhetoric that data protection law is a "blocker" of good quality research. This is likely to be a useful resource for organisations operating in the research space.