Regulatory Outlook

Regulatory Outlook | Data protection | July 2021

Published on 20th Jul 2021


Current issues

Third country transfers

Organisations are now able to use the European Commission's long-awaited new Standard Contractual Clauses (SCCs) for data transfers from the European Economic Area (EEA) to recipients in third countries. Issued on 4 June 2021, they replace the existing, or old, SCCs, which have been the most commonly used mechanism to provide for adequate safeguards when exporting personal data from the EEA. The new SCCs include terms to bring them in line with requirements under the General Data Protection Regulation and now cover four different transfer scenarios (controller to controller, controller to processor, processor to controller, and processor to (sub-)processor).

You can find out more in our Insight.

The new SCCs should be read alongside the European Data Protection Board's (EDPB) recently published final recommendations on supplementary measures to ensure compliance with data protection laws when transferring personal data from the EEA.

Following the UK's departure from the European Union, the new SCCs and the EDPB recommendations will not apply in the UK, but the ICO has announced plans to publish UK-specific SCCs later this year.

AI regulation

The European Commission has unveiled its proposed regulatory regime for artificial intelligence (AI) which is set to harmonise the laws in this area across the EU and which includes hefty fines for non-compliance. In our Insight, we explain the proposed tiered system which categorises different AI systems into those which are: "prohibited" (including automated facial recognition except in limited circumstances), "high risk" systems which must meet six areas of compliance, and lower risk systems which must comply with certain transparency obligations.

Once this legislation is finalised, it is likely that it will be 18 to 24 months before it comes into effect.

While this Regulation will not be directly applicable in the UK, it is likely still to affect businesses which trade with the EU market. Meanwhile, the UK government has released public sector guidance in the form of an Ethics, Transparency and Accountability Framework for Automated Decision-Making.

Promoting ESG and privacy

There has been a market shift in using tech and data for Environmental, Social and Corporate Governance. We explore the regulatory concerns in our Insight. From a decarbonisation perspective, "green tech" is a popular area for many start-ups using emerging technologies such as the Internet of Things, artificial intelligence and digital twins – all of which are data intensive.

There is also a shift in the type of personal data organisations collect about their employees in order to understand and address diversity and equality in the workplace. Diversity data is often special category data and needs extra protection (see our webinar on this topic).

Online harms – what you need to know

The UK government has published its draft Online Safety Bill, designed to protect users of online content-sharing platforms from harmful material.

Our Insight discusses its wide scope and features, such as placing a duty of care on applicable companies to improve the safety of their users online. The Bill aims to improve child safety, reduce online terrorist activity, reduce online fraud and generally combat "harmful" content.

The Bill needs to go through the legislative process and is likely to be subject to some amendments. The Bill will be important for any company which allows user generated content on their platform, with the potential for fines as high as £18 million or 10% of global turnover (whichever is higher).


* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Interested in hearing more from Osborne Clarke?