This month's highlights include:
DCMS's publication of its proposals for the UK's data protection strategy; and
The government's publication of its AI strategy.
This month's top story: DCMS consultation 'Data: A new direction'
On 10 September DCMS (the Department for Digital, Culture, Media and Sport) published a consultation document entitled Data: a new direction.
Click here to read our overview of the key points.
Click here to read our article focusing on the implications for public sector organisations.
Webinar: Personal Data Transfers: A Practical Guide to the new Standard Contractual Clauses
On 29 September some of our data protection specialists delivered this webinar, where our international data transfer specialists give guidance on understanding the practical and organisational steps you will need to take when using the new Standard Contractual Clauses (SCCs). Click here to watch the recording.
Regulatory guidance/campaigns/other news from the Information Commissioner's Office (ICO)/European Data Protection Board (EDPB)/ European Data Protection Supervisor (EDPS)
ICO blog post: International progress for domestic benefit: why the ICO convened a G7 meeting on data flows
On 20 September the ICO published a blog post about the meeting that the Information Commissioner convened with her G7 counterparts to discuss topics covering specific uses of data, like AI and cookies; how privacy overlaps with competition and national security; and regulatory aspects like enforcement, deterrents and the impact of the pandemic. The ICO blog highlights cookies as one area where progress was made. The G7 has published a communiqué summarising the key points arising from the discussion.
ICO consultation on incident reporting thresholds under NIS Regulations 2018
On 9 September the ICO launched a consultation on the incident reporting thresholds under the NIS (Network and Information Systems) Regulations 2018.
Following Brexit, the government considers that the reporting thresholds under the NIS Regulations need to be adjusted, and the Information Commissioner will have the power to set those thresholds. The consultation is seeking views on two alternative proposals:
- Revise existing thresholds so that they are applicable to UK markets; or
- Replace numerical thresholds with a risk-based indicative and relative thresholds.
The consultation is open until Thursday 7 October 2021. The ICO will then analyse the results and use the information provided to inform its assessment of the costs and benefits of the different options. We will report on the outcome of the consultation once this is published.
EDPB adopts opinion on draft South Korea Adequacy Decision
On 27 September the EDPB announced that it had adopted an opinion on the draft South Korean adequacy decision. The opinion states that, while core aspects of the Korean data protection framework are essentially equivalent to those of the EU, the EDPB calls on the European Commission to further clarify certain aspects and to closely monitor the situation.
If the adequacy decision is finalised, this would mean that EEA organisations would be able to transfer personal data to South Korea without putting in place an additional safeguard (such as standard contractual clauses). While the UK has adopted the adequacy decisions made by the Commission before the UK left the EU, this subsequent decision would not automatically apply to the UK. However, DCMS has announced that it intends to prioritise a 'data partnership' with South Korea. See the August 2021 issue of DWF Data Protection Insights for our report on DCMS's post-Brexit data plans.
We will monitor the progress of the South Korea adequacy decision and report on developments and their impact on UK businesses in future issues of DWF Data Protection Insights.
EDPB establishes cookie banner taskforce
The EDPB has announced that it has set up a taskforce to coordinate the response to complaints concerning cookie banners filed with several EEA supervisory authorities by NOYB (Max Schrems' privacy rights organisation). Cookie banners are very much in the news at the moment, with the ICO seeking to work with the other G7 members to improve their use, and DCMS's plans to reform UK data protection law including a proposal to relax the requirement for consent to cookies.
The ICO has continued to focus on enforcing the Privacy and Electronic Communications Regulations 2003 (PECR), imposing fines for sending marketing emails and texts without permission and calling people registered on the Telephone Preference Service (TPS).
One company sent emails to people who had requested an online valuation of their car. The emails containing the valuations were lawful, but the company sent subsequent marketing emails without consent. The company argued that the 'soft opt-in' applied, but the ICO decided that they could not rely on it because they had not given the individual the right to opt out of marketing at the time of requesting the valuation.
Two group companies said that they had sent marketing emails based on 'indirect consent', i.e. where the intended recipient had told one organisation that he/she consents to receiving marketing from other organisations. However, the ICO's direct marketing guidance states that indirect consent will not be enough for texts, emails or automated calls, so the emails were sent in breach of PECR.
Another company ran a 're-engagement' campaign and sent emails to people they had not contacted for some time. While they argued that they could rely on consent or the 'soft opt-in', the ICO decided that they had not provided sufficient evidence, so were in breach of PECR.
Two other organisations have been fined for making marketing calls to people registered with the Telephone Preference Service (TPS), which is also a breach of PECR.
Although we have reported on a lot of ICO fines for PECR breaches, these new actions provide useful reminders of the different ways in which organisations can unintentionally breach PECR:
- You can only rely on the 'soft opt-in' if you give the individual the right to opt out of marketing at the time of collecting their contact details;
- You need to be extremely cautious when seeking to rely on 'indirect consent'. While this decision highlights that this is not adequate for electronic marketing, it can only be valid for other forms of marketing (e.g. postal) if it is sufficiently clear and specific, which is a high standard to satisfy.
- You need to keep records which enable you to prove that an individual consented to receive electronic marketing, or that you can rely on the soft opt-in, including evidence that you gave them the right to opt out but they did not do so.
- If making marketing calls, remember to screen your database against the TPS and keep it updated.
The ICO has also fined an organisation for failing to reply to a subject access request, in breach of the UK GDPR.
If you would like advice on how to:
- run a direct marketing campaign in compliance with the law; or
- manage your subject access request process,
Please contact one of our data protection specialists.
UK government publishes National AI Strategy
In previous issues of DWF Data Protection Insights, we have reported on the government's focus on artificial intelligence (AI) - click here to read our July 2021 round-up of some key news. On 22 September the government published its 'ten-year plan to make Britain a global AI superpower'.
The government's stated aims are to:
- Invest and plan for the long-term needs of the AI ecosystem to continue our leadership as a science and AI superpower;
- Support the transition to an AI-enabled economy, capturing the benefits of innovation in the UK, and ensuring AI benefits all sectors and regions; and
- Ensure the UK gets the national and international governance of AI technologies right to encourage innovation, investment, and protect the public and our fundamental values.
The plan refers to three fundamental pillars:
- Investing in the needs of the ecosystem to see more people working with AI, more access to data and compute resources to train and deliver AI systems, and access to finance and customers to grow sectors;
- Supporting the diffusion of AI across the whole economy to ensure all regions, nations, businesses and sectors can benefit from AI; and
- Developing a pro-innovation regulatory and governance framework that protects the public.
The plan makes several references to the consultation 'Data: a new direction' referred to above and the government's stated aim of championing international data flows, preventing unjustified barriers to data crossing borders and maintaining the UK’s high standards for personal data protection.
We will monitor developments closely and report on any developments and their implications in future issues of DWF Data Protection Insights.