As we approach the end of 2021, and after yet another rollercoaster year for data privacy, it seems a good time to reflect on what is currently on the plates of data privacy professionals and areas on which to keep a watching brief, notably the recent DCMS and ICO consultations. (For our summary of the DCMS proposals see Article, DCMS data protection reforms: summary of consultation proposals and for more on the ICO data transfers consultation see Article, ICO consultation on international data transfers: what to do now.)
International data transfers
The topic that seems to be keeping everyone busy is international data transfers. Although earlier in the year we saw the EU finalise SCCs, we look set to have to wait until at least early 2022 for the finalised UK approach. Organisations continue to be in a state of flux as to how best to approach transfers in the meantime and how to plan for the future.
Practitioners are grappling with questions for complex transfer scenarios involving multiple jurisdictions, for example do we use two sets of clauses, one for the EU and one for the UK or do we use the UK addendum with the EU SCCs, what do we do with the EU’s processor clauses within the transfer SCCs if we prefer to use our own processor clauses, how do we manage transfer impact assessments, when do we need to get all this done and what do we do in the interim?
We have heard of organisations taking a variety of approaches, larger businesses with operations in the EU have suggested they are more likely to use the EU SCCs with the addendum because of the added time and cost associated with having two sets of clauses. There is even some indication that organisations have already started to make use of the ICO’s draft addendum to the SCCs without waiting for the outcome of the consultation.
The risk transfer tool is seen by practitioners as helpful, but the ICO makes it clear that it is only intended for straightforward situations so specialist advice will potentially be needed in more complex situations.
Smaller, less complex organisations also have to deal with change and, while they may be more likely to find the ICO’s relatively user-friendly and plain English IDTA useful, there is still a view that it will be difficult for small businesses to work through the risk transfer tool without the benefit of specialist advice.
This area looks set to keep data privacy professionals busy well into 2022 in keeping an eye on the ICO’s final stance, seeing what the EU does with SCCs for transfers to non-EU organisations subject to the EU GDPR (and what the EDPB has to say about this (see Legal update, EDPB publishes guidance on interplay between GDPR territorial applicability and international transfers (57th Plenary))) and getting contracts in order before the deadlines for using new versions. Organisations will need to ensure they have the time, resources and business momentum to keep on top of this.
DCMS consultation on data protection reforms
A topic of less day-to-day practical importance, but nevertheless crucial to follow and spend some time on, is the proposed reforms to UK data protection legislation put forward by the DCMS.
While there is no immediate impact to organisations, it is worth data privacy professionals knowing what may be coming up and what impact this could have on their organisation. This could range from making changes to compliance programs and roles through to a potentially longer-term risk to the UK’s adequacy status. From our conversations with practitioners, there does seem to be a general view that, if implemented, some of these proposals bring a significant risk of challenge to the adequacy decisions before the four-year sunset and an even higher risk of non-renewal at the end of the term and that this is not being adequately addressed by the government (despite its statement that “it is perfectly possible and reasonable to expect the UK to maintain EU adequacy”).
There also seems to be a view that, while some of the proposals (such as introducing risk-based privacy management programmes and removing the DPO requirements) may be helpful for smaller organisations, some of the public sector and those not operating in the EU, in general they are unhelpful for organisations who do operate in the EU and globally, have to deal with divergent regimes and have already invested time and expense in complying with the current EU-GDPR-based regime. The question is really whether the proposals are likely to have much impact on global organisations that will continue to pitch compliance at a level that works globally.
Some practitioners have expressed concern over the removal of the mandatory requirement for a DPO (with the level of independence that a DPO brings). The DPO role has raised the profile of data protection compliance at board level and has become a growing profession in its own right, a view echoed by the ICO in its response to the DCMS consultation. Other compliance functions benefit from regulated roles and we have heard practitioners query why data protection should be treated differently at a time when personal data has become an increasingly valuable commodity.
If the mandatory requirement for DPOs is removed, what assurances are there that designated individuals would be appointed to oversee data protection compliance and how would this be monitored or enforced? Something that may be particularly important in otherwise unregulated industries such as adtech or organisations using artificial intelligence and profiling (which often carries significant risk for individuals, in particular, children).
Reforms which create less prescriptive legislation should not mean lowering protection or weakening the profile of data protection throughout an organisation or at board level and, as there is scope for amending the threshold for appointing a DPO rather than abolishing the requirement, there is a view that the government should take this approach. A similar concern exists in relation to the proposals to remove data protection impact assessment requirements.
Certainly, the consultation has opened up a debate amongst practitioners and is one to add to the risk register or to keep a watching brief on. Practical Law Data Protection will be publishing a tracker to help keep an eye on changes.
Post-pandemic employment questions
Practitioners that advise on data protection compliance in relation to workers have had to deal with a variety of new scenarios during the pandemic, for example on remote working and monitoring, health data, data sharing and so on. As organisations pivot to whatever their new normal may be, data privacy issues are still coming up, for example in relation to vaccination status, work patterns and data security and it seems likely that the ICO will address some of this in its planned guidance on employment practices. For further information, see:
- Video, Minimising data privacy risks as staff return to the office.
- Practice note, COVID-19 (Coronavirus) and employment law.
- Legal update, Employer monitoring of homeworkers prompts calls for strengthened regulation.
- Legal update, All-party Parliamentary Group (APPG) proposes new legislation to curb surveillance technologies and algorithm-determined performance targets.
Other areas to watch
While anything and everything in an organisation can have some sort of data privacy angle, things to watch out for in the near future where we may see further regulatory guidance include topics such as anonymisation and pseudonymisation, AI, CCTV, accountability, age assurance and children’s data, research data and data sharing, adtech and eprivacy and cyber breaches and security. Keeping on top of developments across different jurisdictions and potentially increasing UK divergence is also a challenge for organisations that often need a uniform approach. Practitioners can be expected to be on top of a range of issues and to help with this Practical Law Data Protection will, as usual, be publishing our What to Expect article for 2022.
A new Information Commissioner
Finally, as 2022 approaches, we have a new regulator to look forward to as John Edwards takes on the role of Information Commissioner in January, the second Information Commissioner to have previously been in a similar role overseas (in his case New Zealand with his predecessor Liz Denham having had a role in Canada). Given the DCMS consultation’s proposals for the role of the Information Commissioner and office, which are seen as threatening the ICO’s independence, he certainly joins at an interesting time and will no doubt want to put his mark on the organisation and establish his own priorities.