UK to reform data protection laws

Nigel Miller (partner)

Prince Charles, in giving the Queen’s Speech on 11 May 2022, announced the government’s intention to reform UK data protection laws. The purpose of the reforms is to:

  • Take advantage of the benefits of Brexit to create a “world class data rights regime” that will allow us to create a new pro-growth and trusted UK data protection framework that reduces burdens on businesses, boosts the economy, helps scientists to innovate and improves the lives of people in the UK.
  • Modernise the Information Commissioner’s Office, making sure it has the capabilities and powers to take stronger action against organisations who breach data rules while requiring it to be more accountable to Parliament and the public.
  • Increase industry participation in Smart Data Schemes, which will give citizens and small businesses more control of their data. The Bill will also help those who need health care treatments, by helping improve appropriate access to data in health and social care contexts.

The main elements of the Bill are:

  • Ensuring that UK citizens’ personal data is protected to a gold standard while enabling public bodies to share data to improve the delivery of services.
  • Using data and reforming regulations to improve the everyday lives of people in the UK, for example, by enabling data to be shared more efficiently between public bodies, so that delivery of services can be improved for people.
  • Designing a more flexible, outcomes-focused approach to data protection that helps create a culture of data protection, rather than “tick box” exercises.

The government sees the GDPR as a highly complex and prescriptive piece of legislation which encourages excessive paperwork, and creates burdens on businesses with little benefit to citizens. As the UK has now left the EU, the data protection framework can be reformed in order to reduce burdens on businesses.

Comment:

The contents of the Bill are not yet available and it remains to be seen quite how far these reforms will go. It is one thing (for example) to reduce paperwork, and remove the need for irritating cookie banners (a couple of the potential targets of the Bill), but another to go too far and put at risk the UK’s adequacy ruling that allows the free flow of data from the EU. In the end, the reforms may be helpful but relatively modest.

new Trans-Atlantic Data Privacy Framework

The European Data Protection Board has welcomed the announcement of a political agreement in principle between the European Commission and the United States of a new Trans-Atlantic Data Privacy Framework.

The proposed Trans-Atlantic Data Privacy Framework seeks to address the concerns which led to the Privacy Shield framework being found by the European Court to be invalid. The proposed new Framework will include:
  • Safeguards to limit access to data by US intelligence authorities to what is necessary and proportionate to protect national security.
  • A new two-tier redress system to investigate and resolve complaints from Europeans about access to data by US intelligence authorities. This includes a Data Protection Review Court.
  • Strong obligations for companies processing data transferred from the EU. This will include the requirement to self-certify their adherence to the US Department of Commerce.
  • Specific monitoring and review mechanisms.
When implemented, the Framework will provide a legal basis for personal data flows from the EU to the US.
However, it may be some time before organisations can rely on the new Framework as it has to be approved by the European Commission. At this stage, therefore, the Framework cannot be used for data transfers from the EU to the US and data exporters must continue to use Standard Contractual Clauses and to take the steps required to comply with the Schrems II decision of 16 July 2020.
And even when it is adopted, it will, like its predecessors (Safe Harbor and Privacy Shield) be open to legal challenge by privacy groups.
In any event, the Framework will not apply to transfers from the UK to the US, and the UK has previously indicated that the US is a priority for an “adequacy” partnership.

New UK International Data Transfer Agreement

Vlad Arutyunyan
Millie Pierce

On 2 February 2022 the UK Government’s Department for Culture, Media and Sport put before Parliament the International Data Transfer Agreement (IDTA), an addendum to the new EU standard contractual clauses (New EU SCCs) (Addendum) and various transitional provisions. The documents can be accessed here.

The IDTA has been created as the UK equivalent to the New EU SCCs for international data transfers. The EU commission modernised the EU SCCs on 4 June 2021. The New EU SCCs can be used by parties to incorporate standardised clauses into their contracts. These clauses deal with different sections, for instance for data controllers and processors. The IDTA is a standalone agreement that will apply to all transfers of personal data outside of the UK regardless of whether a party is a data controller or processor. Whilst there are a few exceptions, this includes data importers who are subject to the rules of the UK GDPR.

When the New EU SCCs were published on 4 June 2021, they didn’t apply in the UK due to Brexit. The IDTA and the Addendum have been created to replace the current SCCs used in the UK. The IDTA will take the binding effects of the European Court of Justice Schrems II[1] decision into account.

By addressing the necessary UK legal requirements, the Addendum will allow data exporters who continue to operate in the EU and UK to rely on the New EU SCCs without the need for an IDTA. The intent is to simplify the process for data exporters and will be supported by further guidance from the ICO on the risk protection steps that data exporters will need to undertake when transferring data.

The introduction of the IDTA and Addendum has been welcomed by the ICO, they have stated that “The IDTA and Addendum will also help to support the UK’s digital economy, by enabling the global flow of people’s personal data in order to deliver goods and services.

The ICO will continue to develop the following guidance to provide help and support for businesses:

  • Clause by clause guidance to the IDTA and Addendum.
  • Guidance on how to use the IDTA.
  • Guidance on transfer risk assessments.
  • Further clarifications to the international transfers guidance.

The ICO have stated that the IDTA and the Addendum “are immediately of use to organisations transferring personal data outside of the UK“. The ICO hopes, subject to Parliamentary approval, that these changes will grant parties more confidence when entering into data transfer agreements. The ICO have confirmed that if approved, the IDTA, Addendum and transitional provisions will come into force on 21 March 2022.

[1] Previously EU to US transfer of data was permitted under the Privacy Shield Decision. This was ruled to be illegal and stricter requirement for data transfer were expected based on the SCCs.

A new year, a new ICO

As of 4 January, John Edwards became the new UK Information Commissioner for a five-year term. Mr. Edwards spent the past eight years as New Zealand Privacy Commissioner, and before that worked as a barrister. He succeeds Elizabeth Denham CBE.

Looking ahead to 2022, Mr Edwards will be working on the proposed reforms to the Data Protection Act and the introduction of the Online Safety Bill. He will also prioritise the protection of children online, through the Age Appropriate Design Code, which has already prompted international tech companies to make changes to better respect children’s rights online.

One little known fact: In 1986 – 1987 Mr. Edwards worked as a mountaineer in the Search and Rescue Team at Mount Cook National Park. These skills may come in handy navigating the complex data protection landscape!