Author: Melanie Pimenta
There have been many factors at play which have shaped this year’s developments in data protection, in particular stemming from Brexit, Covid-19 pandemic, inflation and the war in Ukraine. We review the key developments of 2022 and what you should look out for in the New Year.
Implementation of the International Data Transfer Agreement and update to Transfer Risk Assessments
Throughout 2022, the UK Government confirmed that it wanted to make international data flows a priority and accordingly, the Government confirmed that it wished to simplify the process through an outcomes/’risk-based’ approach, rather than a prescriptive process which had administrative burdens for organisations.
On 21 March 2022, the International Data Transfer Agreement, (IDTA) came into force in which UK-based organisations that export personal data to third countries (such as the USA), which are not covered by an adequacy decision, would be able to choose between the IDTA and the Addendum to transfer personal data outside the UK. The IDTA contains mandatory clauses which the data importer and exporter will need to comply with, but also provides the opportunity to refer to other data processing and data sharing agreements the parties may have in place.
In order to better understand the safeguards and security requirements to protect the personal data, the parties are required to undertake a transfer risk assessment. On 17 November 2022, the ICO published an update to the international transfers section of its Guide to GDPR, including a new Transfer Risk Assessments (TRA) Guidance and a TRA tool. The purpose of the risk assessment is to ensure that individuals check whether for their restricted transfer, taking into account all the circumstances, the IDTA provides protection for the data subjects, which is sufficiently similar to the relevant protections they have when their data is in the UK.
The Data Protection and Data Information Bill
The Government’s 2021 consultation – Data: a new direction – as part of its proposals to reform the UK’s data protection laws following Brexit, has fed into the new Data Protection and Digital Information Bill (“the Bill”) which was introduced into Parliament on 18 July 2022.
The Bill is intended to update and simplify the UK’s data protection framework with a view to reducing burdens on organisations while maintaining high data protection standards. It included an amended definition of ‘personal data’ which limits the previous definition by focusing on the knowledge of the controller or processor and not, arguably, the whole world. In addition, in relation to data subject access requests, the Bill changed the threshold for charging a reasonable fee (or refusing to comply with a request) from ‘manifestly unfounded or excessive’ to ‘vexatious or excessive’. The Bill introduced a new legal basis for processing where processing is ‘necessary for the purpose of a recognised legitimate interest’ and removed the need for certain organisations to appoint a Data Protection Officer.
The Bill was scheduled to have its second reading on 5 September 2022, however on 3 October 2022, the UK Government announced plans to replace the UK GDPR altogether. Since the recent changes in the UK Government, we await further details as to whether the Government will choose to deviate from the current data protection regime or if a decision is made to implement a new data protection regime.
The Government has since introduced the Retained EU Law (Revocation and Reform) Bill 2022-2023 to the House of Commons on 22 September 2022. This Bill makes provision for significant changes to the current status, operation and content of retained EU law, including through amendments to the European Union (Withdrawal) Act 2018 (EUWA). This means that the majority of retained EU Law will expire on 31 December 2023, unless it is otherwise preserved. The Government has not confirmed which regulations it intends to revoke, retain or amend under the Brexit Freedoms Bill, as the UK GDPR is EU direct legislation retained in the UK, currently this legislation will disappear unless it is preserve before 31 December 2023. It is possible that the UK GDPR will be retained under the Bill, however we await an update on this in the New Year.
New guidance on the UK BCRs
In July 2022, the ICO published guidance and revised application forms and tables to simplify the UK Binding Corporate Rules (UK BCRs) approval process for controllers and processors. UK BCRs are legally binding and enforceable internal rules or policies which can be used by UK based controllers or processors to transfer data to non-UK based controllers or processors within a group of undertaking or group of enterprises engaged in joint economic activity such as franchises, joint ventures or professional partnerships. These have to be approved by the ICO.
A fundamental change to the approval process is the revision of the referential table which should ensure that there is a simplified process when seeking to ensure that policies and procedures comply with the UK GDPR. Another significant change is to, what the ICO identifies as being, the “BCR Policy” in which it is expected that organisations are transparent in providing individuals with key information that they need about their personal data and transfers.
The update came in line with the decision made in the ECJ’s ruling in Schrems II to ensure that appropriate safeguards are in place when transferring personal data outside of the EU to a third country.
Cybersecurity and data breaches
Cyber security continues to be a hotly discussed topic and continuing to affect more companies than expected. According to a survey by IT Governance there were 1,243 publicly disclosed security incidents in 2021, accounting for close to 5 billion breached records. Following issuing a £4.4 million fine to a construction company, the ICO commented that “the biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company”. The ICO found that the company had failed to put appropriate security measures in place to prevent a cyber attack, which enabled hackers to access the personal data of up to 113,000 employees through a phishing email. The ICO and National Cyber Security Centre are working together to meet with regulators around the world to work towards consistent international cyber guidance so that “people’s data is protected wherever a company is based”. We await details as to the guidance in this area to address cybersecurity attacks and breaches.
In late 2022, the European Data Protection Board opened a public consultation in relation to one of its guidelines on personal data breach notification under the GDPR. Despite the UK departing from the EU GDPR since Brexit, the ICO has confirmed that these guidelines continue to be relevant to the UK data protection regime. We await details in the New Year as to whether such changes are likely to impact the UK’s data breach reporting procedures.
What to look out for in 2023
Data protection reform
Where the UK Government has previously confirmed that it wishes to remove the administrative burdens on organisations in respect of processing personal data with various announcements in respect of reforming the UK data protection regime and the Retained EU Law (Revocation and Reform) Bill 2022-2023, we await details as to whether the UK GDPR will be retained, revoked or amended. We therefore anticipate further reforms over the next year, where a decision will need to be made by December 2023.
Regulation of AI
As part of its risk-based approach to its data protection regime, on 18 July 2022, the Government published its AI Regulation Policy Paper, which considered the following principles: context-specific; pro-innovation and risk-based; coherent; and proportionate and adaptable. AI technologies has some underlying issues and risks and it will be interesting to see how the Government’s cross-sectoral principles will be developed and interpreted by regulators.
At this stage, the Government has sought initial views from stakeholders on the proposal set out in the Policy Paper and intends to publish an AI White Paper which will set out a framework for AI regulation in the UK so we await details of this framework.
Development of the metaverse
Given the swift developments in artificial intelligence (AI) and the metaverse, we consider that advances in AI, biometric monitoring and emerging technologies will trigger regulation and data protection considerations in such areas.
AI is playing a crucial role in development of the metaverse (virtual worlds) by populating its avatars or digital humans, learn from its users, process and predict transactions and interactions, all in order to provide the best experiences. We are anticipating that there will be new jurisdiction-specific rules in relation to data and how this is processed and transferred in the metaverse.
UK ‘adequacy’ status review
In 2025, it is scheduled that the EU will review the UK’s “adequacy” status. It is likely that any data reforms in the UK considered next year will be closely monitored by the European Data Protection Board to ensure that adequate safeguards remain in place to protect cross-border transfers. If the UK data protection regime deviates significantly from the EU data protection regime, there is risk of this impacting the UK’s “adequacy” status.
Overall, it looks to be an interesting year of data protection developments with potential significant changes to the UK’s data protection regime. If you need any advice in relation to any of the points mentioned, please do not hesitate to contact a member of our data protection team who will be happy to assist.