Included in this edition of Data & Privacy News: DCMS publishes draft Online Safety Bill, ICO publishes update on UK standard contractual clauses and more...

AG insight on the future of AI regulation in Europe and the UK

On 25 May 2021 Addleshaw Goddard will be hosting another addition of our Data Download Webinar, examining the EU's proposed approach to AI Regulations. Topics covered will include:

• How are AI and high-risk AI systems defined?
• New regulatory obligations for providers of AI systems.
• The post-market surveillance of AI and the possible creation of a new AI Board.
• The UK approach to AI regulation.

To register for this webinar, please click here.

ICO publishes update on UK standard contractual clauses

As part their summary of the Data Protection Practitioners’ Conference 2021, the Information Commissioner’s Office (ICO) has announced that it is developing bespoke UK standard contractual clauses (SCCs) for international data transfers.

ICO Deputy Commissioner Steve Wood confirmed that the ICO intends to begin a consultation on SCCs in the summer. The ICO are also considering the need to recognise transfer tools from other countries, including the EU’s standard contractual clauses, and the value that this would present to the UK.

DCMS publishes draft Online Safety Bill

The Department for Digital, Culture, Media & Sport has published details of the draft Online Safety Bill, designed to establish a new regulatory framework to help safeguard young people and clamp down on racist abuse, while upholding democratic debate online.

The draft Online Safety Bill follows the government’s manifesto commitment to make the UK the safest place in the world to be online while defending free expression. The changes outlines in the draft Bill include:

• New additions to strengthen people’s rights to express themselves freely online, while protecting journalism and democratic political debate in the UK.
• Further provisions to tackle prolific online scams such as romance fraud, which have seen people manipulated into sending money to fake identities on dating apps.
• Social media sites, websites, apps and other services hosting user-generated content or allowing people to talk to others online must remove and limit the spread of illegal and harmful content such as child sexual abuse, terrorist material and suicide content.
• Ofcom will be given the power to fine companies failing in a new duty of care up to £18 million or ten per cent of annual global turnover, whichever is higher, and have the power to block access to sites.
• A new criminal offence for senior managers has been included as a deferred power. This could be introduced at a later date if technology firms are not deemed to have sufficiently increased efforts to improve safety.

The draft legislation gives effect to the policy approach outlined in the February 2020 and December 2020 government responses. The draft Bill will now be scrutinised by a joint committee of MPs before a final version is formally introduced to Parliament.

The Bill was accompanied by a Delegated Powers Memorandum; Explanatory Notes; and an Impact Assessment.

Dutch DPA fines Locatefamily.com €525,000

The Dutch Data Protection Authority (DPA) has fined Locatefamily.com €525,000 for failing to appoint a data protection representative. The Dutch DPA received complaints about the website displaying the full addresses and sometimes the telephone numbers of people who had not provided permission, and were unaware of how their details came to appear on the site.

The website contains the personal details of people around the world, including approximately 700,000 Dutch citizens, however it has proved difficult for EU citizens to remove their information as the site lacks of a representative in the EU. This lack of representation is a breach of the General Data Protection Regulation (GDPR) and is the reason the fine was imposed.

In addition to the fine, the DPA has imposed an order subject to penalty on the company, with the company required to appoint a designates representative in the EU by 18 March 2021 or pay €20,000 euros for every fortnight that it does not have such a representative, rising to a maximum of €120,000.

ICO signs Memorandum of Understanding with Office of the Privacy Commissioner, New Zealand

The Information Commissioner’s Office (ICO) has signed a Memorandum of Understanding (MOU) with the New Zealand Office of the Privacy Commissioner (OPC). The MOU is designed to formalise the relationship between ICO and OPC, and aid in the upholding of people’s information rights as well as support the use of data in digital innovation and economic development.

The Memorandum details how the ICO and OPC will continue to share experience and best practice, as well as establish their co-operation in specific projects of interest and share information or intelligence to support their enforcement work. The MOU does not involve the sharing of personal data.

The ICO and OPC were already linked through their memberships of the Global Privacy Assembly, however the MOU comes at a time of increasing trade between the UK and New Zealand, and shortly after New Zealand’s new privacy law has come into force.

European Commission urged to amend UK adequacy decisions

The Civil Liberties Committee has passed a resolution on the European Commission’s approach to the adequacy of the UK’s data protection regime, with MEP's seeking amendments to bring the Commission in line with EU court rulings and concerns raised by the European Data Protection Board (EDPB) in its recent opinions.

The EDPB opinion requested further clarification on UK bulk access practises, onward transfers and its international agreements. Meanwhile MEPs have stated that should the implementing decisions be adopted without changes, national data protection authorities should suspend transfers of personal data to the UK when indiscriminate access to personal data is possible.

The draft resolution will be debated and voted on, together with a discussion of the ‘Schrems II’ ruling concerning data transfers from the EU to the US. The European Commission is expected to issue an adequacy decision in the next few months that will cover the UK’s data protection and the continuation of data transfers across the Channel.

Facebook loses Irish court battle over EU-US data transfers

The Irish High Court has rejected Facebook's attempt to block a draft decision by the Irish Data Protection Commission (DPC) into Facebook’s transatlantic data transfers. The High Court ruling will allow Ireland’s data regulator to resume its investigation that may prevent the social media company transferring data to the U.S.

Ireland's DPC launched an inquiry in August and subsequently issued a provisional order that the main mechanism Facebook uses to transfer EU user data to the United States "cannot in practice be used". The issue under investigation revolves around EU concerns that U.S. government surveillance may not respect the privacy rights of EU citizens when their personal data is sent to the United States for commercial use.

Should the provisional order be enforced, it would remove the access companies in the United States have over personal data from Europe, and put them on the same footing as companies in other nations outside the bloc. Whilst this case involves Facebook, the ruling would have wider ramifications for transatlantic data transfers and impact other large US based technology companies.