Data protection | Regulatory Outlook September 2022

Major delay to the UK's Data Protection and Digital Information Bill

The progress of the Data Protection and Digital Information Bill has become a regular feature in our monthly outlook. However, the Bill's progress has taken a significant hit this month.

The second reading of the Bill in the House of Commons – originally scheduled for 5 September 2022 – was cancelled by the UK government "to allow ministers to consider the legislation further", as announced by Commons leader Mark Spencer.

No new date for the second reading was announced, save that "there will be ample opportunity, at some point in the future, to debate the Bill".

The status of the Bill is therefore unknown and it is unclear whether it will continue its progress through Parliament in its current form or at all.

For a summary of the key changes proposed in the Bill, which followed the government's response to its consultation on proposals to reform the UK data regime, please see our previous Insight.

ICO publishes its ICO25 strategic plan

On 14 July 2022, the UK Information Commissioner's Office (ICO) published its new strategic plan named "ICO25". 

The plan provides clarity for organisations on (i) why the regulators wok is important; (ii) what the regulator wants to be known for; and (iii) how it plans to achieve this through a number of objectives. It also includes the ICO's Annual Action Plan which provides a more detailed look at specific actions it will achieve over the next year (October 2022 – October 2023).

In July, the ICO also held its annual Data Protection Practitioners' Conference (DPPC) in which it provided a number of speeches and seminars on various data protection topics. The videos of the speeches are available on the ICO's website here.

Children personal data – Significant developments in Ireland

September has been a busy month for the Irish Data Protection Commission (DPC), particularly regarding the protection of the personal data of children on social media platforms.

First, on 2 September 2022, the DPC imposed its largest ever fine of €405 million, together with an order to take specific actions to remedy specific areas of non-compliance. This followed a year-long inquiry into the processing of children personal data on the social media platform, which focused on a historic public-by-default setting for child users and public disclosure of contact details for children who used a business account feature.

It's interesting to note that the Concerned Supervisory Authorities in the EU – who had received, and provided feedback on, the DPC's draft decision – had recommended to the DPC that it should issue the highest penalty in the range of penalties which it had proposed. This indicates a high level of concern among the authorities around these issues.

Second, the DPC submitted a draft decision on 13 September 2022 following a separate large scale inquiry into the processing of personal data of children on another platform. The inquiry sought to consider the platform's transparency obligations and use of public-by-default settings for users under the age of 18, and the age verification measures adopted for users under the age of 13.

Limited details are known at this stage regarding the draft decision. However, it is clear that the use of children data is a headline issue for the DPC (and other supervisory authorities) and organisations would be well advised to re-assess privacy measures adopted for any users who are children (including the use of public-by-default settings).

Privacy enhancing tech – New ICO draft guidance

The ICO has published new guidance for organisations on the use of privacy enhancing technologies (PETs), which the ICO defines in its guidance as technologies "that embody fundamental data protection principles by minimising personal data use, maximising data security, and/or empowering individuals".

Overall, the ICO adopts an optimistic stance in the guidance about the impact that the thoughtful use of PETs can have on improving the protection of personal data.

The ICO acknowledges that an increasing number of organisations are using PETs as part of their data protection by design and default approach, and that such technologies can play an important part in improving an organisation's compliance with data protection laws, including the data minimisation principle and security requirements.

Indeed, the ICO suggests that the adoption of PETs can help enable organisations to "harness the power of data through innovative and trustworthy applications". Some helpful example use-cases of PETs are included in the guidance.

However, the ICO endorses caution: organisations should carefully consider, including by undertaking a data protection impact assessment, whether the use of a PET is appropriate in the circumstances. Organisations must be alive to the fact that PETs vary greatly in maturity and utility and should not regard them as a silver bullet for data protection compliance.

Aside from further regulatory action, the ICO is keen to see the industry play its part, including the preparation of code of conducts and certification schemes for the use of PETs. This draft guidance is therefore very much the first step and we expect it will likely be supplemented by further regulatory guidance and private-sector initiatives over the next few years.