DWF Data Protection Insights January 2022

This month's highlights include:

• data protection New Year's Resolutions; and
• the ICO's announcement that updated international transfer documents have been laid before Parliament.

Data protection New Year's Resolutions

Earlier this month we published our annual data protection new year's resolutions, which include a reminder of the latest rules on international personal data transfers. This includes the news that the EU has granted South Korea an adequacy decision.  While this decision does not directly impact the UK, the UK government has stated that South Korea is one of the countries with which it is prioritising a data adequacy partnership. See DCMS launches International Data Transfer Expert Council below.

Global Consumer Trends 2022

Privacy specialists Shervin Nahid and Julia Layton wrote the section data protection – managing your data for DWF's publication Global Consumer Trends 2022.  This section focuses on direct marketing and cookie compliance, and the other sections of the report cover:

• ESG – buzz word or business critical?
• The impact of changing consumer behaviour
• People, employment and the global landscape
• Navigating your supply chains
• Horizon scanning – a challenge for legal teams
• The legal team of tomorrow

Regulatory guidance/campaigns/other news from the Information Commissioner's Office (ICO)/European Data Protection Board (EDPB)/ European Data Protection Supervisor (EDPS)

ICO announces that updated international transfer documents are laid before Parliament

The ICO has announced that the following documents, which will help to provide adequate safeguards for international transfers of personal data from the UK, have been laid before Parliament and will come into force on 21 March 2022:

• the international data transfer agreement (IDTA);
• the international data transfer addendum to the new EU standard contractual clauses (SCCs) for international data transfers (Addendum); and 
• a document setting out transitional provisions.

The ICO's announcement and transitional provisions document state that:

• the documents can be used immediately, subject to the caveat that they come into force on 21 March 2022 and are awaiting Parliamentary approval;
• organisations can continue to use the old EU SCCs (including the post-Brexit UK version published by the ICO in January 2021) until 21 September 2022 (NB the document originally published said 2021, but the ICO has confirmed that this was a typographical error.  ); and
• any contracts formed on or before 21 September on the basis of the old SCCs need to be updated by 21 March 2024. A contract may need to be updated earlier if the processing operations that are the subject matter of the contract change, or the transfer of personal data is no longer subject to appropriate safeguards.

The ICO has also:

• amended its guidance on international transfers to clarify what is meant by a restricted transfer; and
• stated that additional tools and guidance are being prepared.

If you would like any support on reviewing and updating your arrangements for international personal data transfers, please contact one of our data protection specialists.

ICO guidance

ICO consultation on how it uses its powers to investigate, regulate and enforce

The ICO has launched a consultation on how it regulates data protection law.  The consultation covers three documents:

1. Regulatory Action Policy (RAP):

• this reinforces the ICO's commitment to a proportionate and risk-based approach to enforcement and explains the factors taken into consideration before taking regulatory action, including monetary penalties, stop-processing orders or compulsory audits; and
• sets out how the ICO promotes best practice, ensures compliance and works with other regulators.

2. Statutory Guidance on our Regulatory Action:

• this focuses on the sections in the Data Protection Act 2018 that specify the ICO's legal obligations to publish guidance to help organisations navigate the law; and
• explains how the ICO uses its statutory powers to investigate and enforce UK information rights legislation.

3. Statuory Guidance on our PECR Powers

• this explains how the ICO uses its statutory powers to enforce the Privacy and Electronic Communications Regulations (PECR), which govern electronic communiciations, including nuisance calls, emails and texts; and
• focuses on the ICO's powers to issue monetary penalty notices on a person/officer of a body for PECR breaches.

EDPB guidance

EDPB guidelines on examples regarding data breach notifications

The EDPB has published a final version of its guidelines on examples regarding data breach notifications.  Although the EDPB's guidelines are no longer directly relevant to the UK's data protection regime, the UK GDPR continues to contain the same data breach notification requirements as the EU GDPR, and the ICO states that the EDPB's guidance may still be helpful for UK organisations.

These guidelines supplement the guidelines issued by the Article 29 Working Party (the EDPB's predecessor) on personal data breach notifications by providing a number of case studies, which recommend the steps that should be taken in a number of scenarios:

• ransomware;
• data exfiltration attacks;
• internal human risk, including exfiltration and accidental transmission;
• lost or stolen devices and paper documents;
• "mispostal": sending data to a third party by mistake; and
• social engineering, including identity theft and email exfiltration.

EDPB guidelines on right of access

The EDPB has adopted a consultation draft of guidelines on the right of access, which provide guidance and clarification on:

• how the right of access must be implemented in different situations;
• the scope of the right of access;
• the information the controller must provide to the data subject;
• the format of the access request;
• how to provide access; and
• manifestly unfounded or excessive requests.

The EDPB's consultation is open until 11 March.  We will monitor developments and report in a future issue of DWF Data Protection Insights once the guidelines are finalised.  As stated above, these guidelines are not directly relevant to UK data protection law, but may be helpful for UK organisations.

Enforcement action

ICO enforcement

ICO fines energy company for direct marketing calls to subscribers registered with TPS

The ICO has fined an energy contract broker company £75,000 for making direct marketing calls to subscribers who were registered with the TPS (Telephone Preference Service) or CTPS (Corporate Telephone Preference Service) and who had not provided valid consent.

This provides a reminder that, even if a person or company has subscribed for goods or services from your organisation, if they are registered with the TPS or CTPS you must not call them to promote additional products without their consent.

We can help you optimise the compliance of your marketing approach, or deal with regulatory or legal action should you be subject to it – please contact one of our privacy specialists.

ICO enforcement action against Ministry of Justice for subject access requests failure

The ICO has issued an enforcement notice against the Ministry of Justice (MoJ) for failing for provide 7,753 data subjects with a copy of their personal data without undue delay when requested to do so, in breach of the UK GDPR and the Data Protection Act 2018.  The enforcement notice requires the MoJ to take steps to comply with the law and advises it to develop a recovery plan for dealing with its backlog of subject access requests.

DWF's data protection team has extensive experience of dealing with complex data subject rights requests. Click here to read more about how we can help your organisation. 

Industry news

Artificial intelligence update January 2022

In December 2021 the CDEI published the second edition of its AI barometer, and in January 2022 DCMS announced a new AI standards hub. Click here to read our summary of the key points.

DCMS launches International Data Transfer Expert Council

The Department for Digital, Culture, Media & Sport (DCMS) has announced the launch of an International Data Transfer Council, whose stated role is to provide independent advice to the government to help it "achieve its mission of unlocking the benefits of free and secure cross-border data flows now the country has left the EU".

The government had already stated that it intends to enter into data adequacy partnerships with some of the UK's key trading partners, prioritising the USA, Australia, South Korea, Singapore, the Dubai International Finance Centre and Colombia.

We will monitor the work of the Council and any developments regarding data adequacy partnerships, and report in future issues of DWF Data Protection Insights.  As we've reported previously, there is a risk that if the UK enters into data adequacy partnerships with countries not recognised as adequate by the EU, this could affect the UK's own adequacy decision.

UK government's National Cyber Strategy 2022

On 15 December 2021 the Cabinet Office published the government's National Cyber Strategy 2022.  This is intended to build on the previous strategy 2016-2021 and comprises five priority actions or pillars:

• Pillar 1: Strengthening the UK cyber ecosystem, investing in people and skills and deepening the partnership between government, academia and industry;
• Pillar 2: Building a resilient and prosperous digital UK, reducing cyber risks so businesses can maximise the economic benefits of digital technology and citizens are more secure online and confident that their data is protected;
• Pillar 3: Taking the lead in the technologies vital to cyber power, building industrial capability and developing frameworks to secure future technologies;
• Pillar 4: Advancing UK global leadership and influence for a more secure, prosperous and open international order, working with government and industry partners and sharing the expertise that underpins UK cyber power; and
• Pillar 5: Detecting, disrupting and deterring our adversaries to enhance UK security in and through cyberspace, making more integrated, creative and routine use of the UK’s full spectrum of levers.

Part 1 of the strategy document sets out the strategic context, the strategy's goals and the strategic approach th government will adopt over the coming decade. Part 2 sets out the specific actions it will take to deliver these goals, including:

• providing support and driving behavioural change regarding businesses proactively managing their cyber risks. Where necessary this will be complemented by legislation, primarily focused around sectors where the potential impact of a cyber attack is greatest, including providers of certain essential and digital services, data protection in the wider economy, and for larger businesses;
• securing the next generation of connected technologies, including by introducing and implementing the Product Security and Telecommunications Infrastructure Bill and boosting the ICO's capability to ensure digital providers are managing the risks associated with their services more proactively; and
• providing the tools and powers law enforcement and intelligence agencies need through the Counter State Threats Bill, including by updating legislation and introducing new offences to account for how state threats have evolved and amending the Proceeds of Crime Act 2002.

We will monitor the progress of this strategy and report on developments in future issues of DWF Data Protection Insights.

DCMS consultation: Embedding standards and pathways across the cyber profession by 2025

DCMS has launched a consultation on embedding standards and pathways across the cyber profession by 2025.  The announcement states that DCMS is considering how best to ensure that the UK Cyber Security Council, which was launched in March 2021, is suitably empowered to be the voice of the cyber profession.  The consultation seeks views on the most effective means of doing this over the period 2022-2025.  DCMS's stated aim is to balance the need to quality assure those practising within cyber security, while not providing unnecessary barriers to entry and progression.

The consultation comprises 29 questions about whether and how the profession should be regulated, including job titles, a competence framework and a Register of Practitioners.

We will watch out for DCMS's response to the consultation and report on any developments in a future issue of DWF Data Protection Insights.

Managed by Bots – warning of rights abuses in gig economy due to algorithmic management tools

In December 2021 Worker Info Exchange (WIE - a digital rights NGO dedicated to research and advocacy of digital rights for workers and their trade unions) published a report Managed by Bots which states that surveillance and a lack of transparency about algorithm use in the gig economy, for example profiling used for automated work allocation, has an adverse impact on workers' rights.

While WIE is a campaign group, as we reported in the March 2021 issue of DWF Data Protection Insights the Trades Union Congress has published reports about the use of AI in employment relationships and in November 2021 the All-Party Parliamentary Group on the Future of Work published a report The New Frontier: Artificial Intelligence at work calling on the government to take urgent accountability of AI accountability.

If your organisation is using or considering using any form of AI, whether in relation to your workers or customers, please contact one of our privacy specialists for advice and support.  This may include undertaking any necessary DPIA (data protection impact assessment) and considering how to address any risks identified.