Data Protection and what the Labour Government should do

July 2024

What should Kier Starmer’s team do about data protection?

After the Conservative Party’s crushing defeat on July 4th, we now have a Labour administration. As the General Election was called, the Data Protection and Digital Information Bill was progressing through Parliament. Although many thought it might be just pass before an Election, the decision by Rishi Sunak to gamble everything on an early election led to the Bill’s abandonment.

The Bill itself was controversial, proposing a mixed bag of changes to data protection and ePrivacy laws. Views within the industry were, it is fair to say, divided.

I’ve asked industry insiders the question; What should the new Government do with UK GDPR, the Privacy and Electronic Communications Regulations (PECR), and AI? Here’s what they say.

Steve Wood, Founder & Director, PrivacyX Consulting and former UK Deputy Information commissioner

“The New Government should firstly take a step back to consider its approach to public engagement on data and AI, particularly with civil society. As they seek to use AI to transform the public sector, a planned and long-term approach to meaningful transparency and engagement is vital. There are good foundations to build on for AI policy and the new Government should look at options to put AI principles on a statutory footing and what additional oversight and coordination is needed to make them effective.

There is scope for a focused AI and Data Bill, learning the lessons of the complexity and confusion in the DPDI Bill and what will really improve the outcomes of the data protection regime – for people and organisations. Changes to GDPR that should remain on table include the new Information Commission reforms, the data protection test for internation transfers and an exemption for analytics cookies.”

You can read more of Steve’s thoughts in his Substack blog – A Digital Policy Memo for the Minister’s Red Box

Chris Combemale, CEO, Data & Marketing Association (DMA)

“The DMA continues to believe that reforming the data protection regime in the UK is fundamental to driving growth, innovation, and wealth creation in the country. Doing so would be a strong sign of the new Government’s commitment to the industry and business.  Amongst the most important reforms for DMA members are:

1. Reforms that establish greater certainty for the use of legitimate Interests as a lawful basis particularly attracting and retaining new customers
2. Reforms that clarify how data can be better used to support scientific research and technology development
3. Reforms that reduce bureaucracy for small business
4. Reforms that enable Smart Data schemes to be introduced in appropriate sectors
5. Reforms that reduce the consent requirements for non-intrusive cookies
6. Reforms that update the law to enable beneficial update of automated decision-making like AI while maintaining strong safeguards

These reforms are consistent with the Labour Policy Forum position and indeed were supported by Labour during scrutiny of the former government’s DPDI Bill. The DMA will work closely with the incoming government to ensure these reforms become law.”

Read Chris’ Open Letter to all political parties

Robert Bond, Senior Counsel, Privacy Partnership Law and Chair, DPN Advisory Group

“The new Government needs to ensure that any changes it makes to our data protection regime do not harm our “adequacy” with the EU. However, I would welcome a review of the reliance on Legitimate Interest as a lawful ground for processing to bolster this useful ground. I would like to see a review of PECR and a proactive focus on practical AI legislation.”

Gerald Coppin, Deputy Group Data Protection Officer, Springer Nature

“I feel a Labour government should work on an international effort to harmonise the data privacy laws across major jurisdictions, it could make it easier for businesses to manage regulatory requirements. They could recommend or mandate techniques like differential privacy, federated learning, and synthetic data generation to enable AI development without compromising individual privacy. As well as expanding regulatory sandboxes that allow companies to test innovative AI applications in a controlled environment, while ensuring privacy safeguards are in place. A reduction in paperwork to prove compliance with the different laws would be MOST welcome!!”

Debbie Evans, Managing Director, FTI Consulting

“I want to be optimistic about change however, it’s not going to be without challenge. Whilst I’m not proclaiming any particular political persuasion – my personal hope is that individual rights are given more visibility. Businesses consequently will need to take compliance more seriously as laws strengthen.”

Eduardo Ustaran, Partner, Hogan Lovells

“My view is that the new UK Government should aim to realise the opportunity to place the UK as a global leader in these areas. The UK is in an ideal sweet spot because it is close enough to the EU’s policy objectives of providing the highest levels of protection for personal data and human rights in the face of today’s AI revolution, but also understands the crucial importance of technological innovation for growth and prosperity. That combination is particularly attractive for responsible global businesses to model their regulatory compliance strategies for privacy, cybersecurity and AI. This is a crucial issue for the UK Government to get right and support its primary goal of growing the economy.”

Charles Ping, Managing Director, Europe, Winterberry Group

“Labour has a big task ahead, and by its own admission, limited resources. So using the eco-friendly mantra of reduce, reuse and recycle they should take all three aspects into evolving our data protection legislation. Reduce the wasted time on devising new policy objectives in this area when there was cross party consensus on the currently lifeless Data Protection of Digital Information Bill. Reuse, because the bill is pretty much “oven ready”, if that phrase hasn’t been rendered entirely valueless by a previous administration.

Recycle the old bill and ensure an expedited path through the corridors and meeting rooms of Westminster. I can’t see a new administration (or country) wanting a traditional summer recess, so this legislation should have time to whistle through and start making a difference.”

Eleonor Duhs, Partner and Head of Data & Privacy, Wells Bates LLP

“I think the new Labour Government, as a priority, should deal with the uncertainty created by the Retained EU Law (Revocation and Reform) Act 2023 (“REULA”) about how to interpret the UK’s data protection frameworks. REULA has turned the statue book on its head, with domestic law (whenever enacted) taking precedence over any law that was previously EU law (including UK GDPR). An example of the unintended consequences of this is in the area of exemptions from data subject rights. The Open Rights case (brought before REULA came into force) required the government to provide EU-standard protections for migrants when exercising data subject rights. But because of the reversal of the relationship between the UK GDPR and the Data Protection Act 2018 every other group in society now has a lower standard of protection for their data subject rights, compared with migrants.

This outcome was clearly not anticipated. In order to ensure data protection standards in the UK remain high the new Labour government should bring forward legislation. It could either use the powers in REULA to reintroduce deleted principles in order to bring clarity and legal certainty. Alternatively, the best course of action may be to enact bring forward primary legislation to ensure that the UK statute book is stabilised. Powers to update our data protection frameworks should also be considered to ensure it continues to be current and tracks accepted EU and international standards. This would support growth and avoid the risk of losing the UK’s data adequacy decision which is due to be reviewed next year.”

You can read more from Eleonor on the REULA here

While I appreciate reforming data protection law may prove not to be a high priority for the new Starmer Government, to offer my tuppence, if Labour does nothing else, I’d urge them to revise PECR. It’s desperately out of date, first introduced over 20 years ago, and then updated back in 2009 with the ‘cookie law’. The world has moved on. There were some proposed changes to PECR under the DPDI Bill which I favoured. In particular, a change allowing not-for-profits to take advantage of the so-called soft opt-in exemption to consent for marketing emails / texts. This is currently only available in a commercial context, which I feel is unfair. As others have mentioned, I’d also like to see a revision of the consent rules for website analytics cookies.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

6 Steps to Manage International Data Transfers from the UK

June 2024

UK data protection law requires us to carefully consider and have specific measures in place to protect personal data and the rights of individuals when it’s transferred overseas.

Other jurisdictions have similar rules. For example, there are restrictions on personal data transfers from the European Union, Brazil, UAE, New Zealand and Singapore, to name a few.

In this article I’m focusing on UK-based organisations who a looking to transfer personal data outside the UK, and the key steps to take.

BALANCING THE RISKS

Tackling international data transfer can feel complex and overwhelming, but it really pays to make sure relevant stakeholders in your business are familiar with the requirements and understand the potential risks. Sometimes you may have limited control over the terms under which you do business with others. There will be times where there’s no room for negotiation on the terms. Where this is the case, a balance will need to be struck on the business necessity of entering the contract and the potential risks should restricted transfers not be adequately covered. Do you walk away and find a different solution, or accept the risk?

STEP 1: IDENTIFY PERSONAL DATA TRANSFERS

First you need to check if what you’re planning to do constitutes a restricted international data transfer.

🚩 Are you transferring or sharing personal data with an organisation located outside the UK? This could be a new supplier/service provider or another organisation you need to share data with.

🚩 Are you making personal data available to another entity located outside the UK? Can the data be accessed by another entity’s employees?

The receiver of the personal data could be a separate company, a public body, a sole trader or another legal entity within a group of companies. Here are some examples:

Suppliers based outside the UK

Transferring or permitted access to your personal data, when using a supplier/service provider based in US, India, France, Australia or anywhere else in the world.

Partner organisations based outside the UK

Sharing personal data with any organisation based overseas, who may be using the personal data for their own purposes. This includes sending paper or electronic documents, by email or post, or permitting another organisation to access to your systems.

Group entities based outside the UK

Sharing employee, customers or any other personal data with a separate legal entity within your corporate group which is located outside the UK. This includes employees working for an overseas entity having access to personal data on the UK organisation’s systems.

Important note: It would not constitute a restricted transfer if someone employed by a UK-based company accesses personal data from overseas. For example a colleague on a business trip can access UK systems from anywhere in the World.

STEP 2: CHECK IF AN EXCEPTION APPLIES

There are some limited exceptions, where you don’t need an adequacy decision or other safeguard mechanism. The ICO makes it clear most exceptions include the word ‘necessary’ and while this doesn’t mean the transfer has to be absolute essential, it ‘must be more than just useful and standard practice’.

To rely on an exception you need to assess whether the transfer is objectively necessary and proportionate, and can’t reasonably be achieved in another way. Exceptions are most likely to be appropriate for occasional transfers, a low volume of data and where there is a low risk of harm when personal data is transferred. Here are some of the most popular exemptions, and a full list can be found here.

📌 Explicit Consent – the transfer is done with the explicit consent of the individual whose data is being transferred, and where they are informed of possible risks.

📌 Contract – where the transfer is necessary for the performance of a contract between the individual and the organisation or for necessary pre-contractual steps.

📌 Public Interests – the transfer is necessary for important reasons of public interest.

📌 Legal Necessity – the transfer is necessary for the establishment exercise or defence of legal claims.

📌 Vital Interests – the transfer is necessary to protect people’s vital interests (i.e. in a critical life or death situation) where the individual cannot legally or physically give

STEP 3: CHECK IF DESTINATION COUNTRY HAS AN ADEQUACY DECISION

If a country has been awarded ‘adequacy’ there is no legal requirement for any further additional safeguards. Adequacy status is awarded to certain countries who have been judged to have a similar level of data protection standards within the UK. An adequacy decision essentially allows for the free flow of personal data between the UK and another country.

Adequacy decisions are kept under regular review, and can be overturned, so some organisations take a belt and braces approach and adopt additional safeguards.

European Economic Area / UK 

The European Commission has granted the UK with ‘adequacy’ for the time being, and this is reciprocated by the UK. Therefore, personal data can flow freely between the UK and countries in the EEA. This includes the EU member states and the EFTA states.
Other adequate countries. The UK adopted all EU adequacy decisions as of January 2021. Therefore personal data can flow freely between the UK and countries such as Switzerland, New Zealand, Uruguay, Israel and Japan.

See a full list of European Commission Adequacy Decisions. The UK Government has the power to make its own ‘adequacy decisions’ on countries it deems acceptable for transfers from the UK.

United States

The ‘UK-US Data Bridge’ came into play in the Autumn of 2023. This extension to the EU-US Data Privacy Framework (DPF) permits the free flow of personal data between the UK and US, but only if the US company has:

    • self-certified and meets the principles of the DPF, and
    • signed up to the UK ‘data bridge’ extension.

For a list of self-certified organisations see US Department of Commerce DPF

STEP 4: SELECT A SAFEGUARD MECHANISM (IF NECESSARY)

If there is not an adequacy decision for the destination country and you aren’t able to rely on a limited exception, there’s a requirement to make sure specific provisions are in place. Organisations have the following options in order to comply with UK GDPR.

📌 UK International Data Transfer Agreement (IDTA)

This is a standalone legal contract which has been published by the UK ICO. Its purpose is to safeguard personal data which is sent outside of the UK.

📌 EU Standard Contractual Clauses (SCCs) with UK Addendum

The EU SCCs are contracts which have been produced by the European Commission for the purpose of safeguarding personal data sent outside the EU. The ICO stresses EU SCCs are not valid for restricted transfers under UK GDPR on their own; it’s necessary to use the UK Addendum as well. It’s also worth noting new EU SCCs were published in 2021 and the old versions are no longer valid for UK organisations to use, so make sure you haven’t got any outdated SCCs lurking in existing contracts.

📌 Binding Corporate Rules (BCRs)

BCRs can be used as a safeguard for intra-group transfers. Some global organisations have gone down this route, but is onerous and takes a considerable amount of time as BCRs must be approved by a relevant data protection authority (such as the ICO). Therefore many organisations opt for EU SCCs with UK Addendum, or the IDTA.

📌 Other safeguards

Other safeguards measures include approved codes of conduct, approved certification mechanisms, or legally binding and enforcement instruments between public authorities or bodies.

STEP 5: CONDUCT TRANSFER RISK ASSESSMENT (IF NECESSARY)

If you are looking to rely on the IDTA, or EU SCCs with the UK Addendum, there’s a requirement to conduct a Transfer Risk Assessment (TRA). This is a written assessment to determine whether personal data will be adequately protected and to assess the likelihood and severity of risks to people’s fundamental rights and freedoms. A key aspect of this is assessing whether foreign Governments or public bodies could override the safeguard measures you have in place

The ICO has published TRA Guidance, which includes a TRA tool; a template document of questions and guidance to help businesses carry out a TRA. You can also use the EU alternative Transfer Impact Assessment (TIA).

STEP 6: KEEP UNDER REVIEW

The rules relating to international data transfers have been subject to a number of significant legal rulings and changes over the past decade, and it’s therefore important to keep abreast of developments; new adequacy decisions may be issued, and existing decisions could be overturned.

An area to definitely keep an eye on is the EU’s adequacy decision for the UK.  This is expected to last until June 2025, but is up for review. It could be extended, but if it isn’t it will expire on 27 June 2025.

As a data protection consultant since 2015, Philippa advises a broad range of clients and delivers data protection training. She regularly writes GDPR guidance to support privacy teams in their day-to-day work.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

What does the IKEA CCTV story tell us?

April 2022

Only set up video surveillance if underpinned by data protection by design and default

What happened?

Following an internal investigation, IKEA was forced to apologise for placing CCTV cameras in the ceiling voids above the staff bathroom facilities in their Peterborough depot. The cameras were discovered and removed in September 2021, but the investigation has only just concluded in late March 2022.

An IKEA spokesman said:

 “Whilst the intention at the time was to ensure the health and safety of co-workers, we understand the fact that colleagues were filmed unknowingly in these circumstances will have caused real concern, and for this we are sincerely sorry.”

The cameras were installed following “serious concerns about the use of drugs onsite, which, owing to the nature of work carried out at the site, could have very serious consequences for the safety of our co-workers”.

They had been sanctioned following “multiple attempts to address serious concerns about drug use, and the use of false urine samples as a way of disguising it”.

“The cameras placed within the voids were positioned only to record irregular activity in the ceiling voids,” he said.

“They were not intended to, and did not, record footage in the toilet cubicles themselves. However, as aresult of ceiling tiles becoming dislodged, two cameras inadvertently recorded footage of the communal areas of two bathrooms for a period of time in 2017. The footage was not viewed at the time and was only recovered as part of these investigations.”

Apology and new ICO guidance

The key question raised by this incident is where to draw the line. When is it inappropriate to set up CCTV? In this instance, the company had concerns about drug misuse – but was that a good enough reason? I think a lot of us intuitively felt the answer was no. 

This apology conveniently coincides with the recent publication of some new guidance on video surveillance from ICO regarding UK GDPR and Data Protection Act 2018.

This guidance is not based on any changes in the legislation – more an update to provide greater clarity about what you should be considering.

Video surveillance definition

The ICO guidance includes all the following in a commercial setting:

  • Traditional CCTV
  • ANPR (automatic number plate recognition)
  • Body Worn Video (BWV)
  • Facial Recognition Technology (FRT)
  • Drones
  • Commercially available technologies such as smart doorbells and dashcams (not domestic settings)

Guidance for domestic use is slightly different.

Before setting up your video surveillance activity 

As part of the system setup, it’s important to create a record of the activities taking place. This should be included in the company RoPA (Record of Processing Activities).

As part of this exercise, one needs to identify:

  • the purpose of the lawful use of surveillance
  • the appropriate lawful basis for processing
  • the necessary and proportionate justification for any processing
  • identification of any data-sharing agreements
  • the retention periods for any personal data

 As with any activity relating to the processing of personal data, the organisation should take a data protection by design and default approach when setting up the surveillance system.

Before installing anything, you should also carry out a DPIA (Data Protection Impact Assessment) for any processing that’s likely to result in a high risk for individuals. This includes:

  • Processing special category data
  • Monitoring publicly accessible places on a large scale
  • Monitoring individuals at a workplace

A DPIA means you can identify any key risks as well as potential mitigation for managing these. You should assess whether the surveillance is appropriate in the circumstances.

In an employee context it’s important to consult with the workforce, consider their reasonable expectations and the potential impact on their rights and freedoms. One could speculate that IKEA may not have gone through that exercise.

Introducing video surveillance

Once the risk assessment and RoPA are completed, other areas of consideration include:

  • Surveillance material should be securely stored – need to prevent unauthorised access
  • Any data which can be transmitted wirelessly or over the internet requires encryption to prevent interceptions
  • How easily data can be exported to fulfil DSARs
  • Ensuring adequate signage is in place to define the scope of what’s captured and used.

Additional considerations for Body Worn Video  

  • It’s more intrusive than CCTV so the privacy concerns are greater
  • Whether the data is stored centrally or on individual devices
  • What user access controls are required
  • Establishing device usage logs
  • Whether you want to have the continuous or intermittent recording
  • Whether audio and video should be treated as two separate feeds

In any instance where video surveillance is in use, it’s paramount individuals are aware of the activity and understand how that data is being used.

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Managing data transfers from the UK

February 2022

The new International Data Transfer Agreement (IDTA) and Addendum is a sensible evolution of the old SCCs

International Data Transfers – to recap

Whenever UK-based organisations arrange the transfer of personal data to a third country outside the UK, they need to make sure the transfers are lawful, by confirming the data security and rights of individuals remain protected when data leaves the country.

Since the famous “Schrems II” ruling by the European Court of Justice in 2020, this activity has been thrown into disarray. To remind you, this is the ruling which invalidated the EU-US Privacy Shield and raised concerns about the use of EU Standard Contractual Clauses (SCCs) to protect the data. 

Soon after, the European Commission set to work to update the EU SCCs. These were drafted and enacted fairly swiftly taking effect on 27th June 2021. 

What are the new EU SCCs?

The new EU SCCs were expanded to introduce more flexible scenarios: 

  • SCCs are now modular meaning that they can accommodate different scenarios, where you can pick the parts which relate to your particular situation.
  • The SCCs cover four different transfer scenarios, including processors:
    • Controller to controller
    • Controller to processor
    • Processor to controller
    • Processor to processor
  • More than two parties can accede to the SCCs, meaning additional controllers and processors can be added through the lifetime of the contract. This potentially reduces the administrative burden.

How did this affect the UK? 

On 28th June the UK’s adequacy decision was adopted.  On September 27th 2021, the prior version of the SCCs expired. 

In our webinar last year, it was obvious that everyone was confused. The situation caused by the “Schrems” ruling was compounded by the fact that Brexit had been completed. This meant we could no longer apply the SCCs approved in Europe. The UK needed its own SCCs, but they did not exist. 

The ICO consultation

From August to October 2021, the ICO conducted a consultation to understand how a UK version of these rules should be enacted. Since we had been granted an adequacy agreement by the EU, we all hoped it would be possible to mirror the SCCs arrangements in UK law thus re-instating the means by which we can lawfully export data to places such as the US. 

Anecdotally the resounding view was not to mess with the principles enshrined in the EU SCCs as it would simply add complexity to an already complex situation.

The ICO conclusion

In January, the ICO published the International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses. To the layperson, the EU’s standards have been adopted. 

What’s included in the Agreement and Addendum? 

    1. The International Data Transfer Agreement (IDTA) replaces the old EU SCCs which were relied upon to provide the appropriate safeguards required under the UK GDPR for international data transfers from the UK. There are differences to the new EU SCCs – it is a single all-encompassing agreement that incorporates all the scenarios identified in EU SCCs. One can omit sections and there is no requirement for it to be signed. This is most useful for those creating new data transfer agreements.
    2. The UK Addendum is a far simpler document. It is an addendum to the EU SCCs where references to EU laws are replaced by references to UK laws. It allows businesses to use the EU SCCs for international data transfers from the EU but also from the UK. These are useful for those already using the EU SCCs who want a simple addendum to update the legal context. 

When does this come into force?

The IDTA was laid before Parliament on 2nd February 2022. It comes into force on 21st March if there are no objections. To all intents and purposes, it’s in force now. The Information Commissioner Office (ICO) has stated the IDTA and UK Addendum:

“are immediately of use to organisations transferring personal data outside of the UK, subject to the caveat that they come into force on 21 March 2022 and are awaiting Parliamentary approval“.

What does this all mean?

In practice, UK businesses can breathe a sigh of relief and get on with their lives. There is clarity at last. Existing agreements need to be updated with the UK Addendum and new ones can be put in place with the International Data Transfer Agreement. There will be an administrative burden, but businesses now know what they need to do.  Good sense has prevailed. 

 

Julia is an experienced data protection consultant and has been advising businesses since 2016. She regularly delivers GDPR training as well as developing bespoke GDPR guidance for our clients.

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.