Included in this edition of Data & Privacy News: UK unveils global data plans, European Commission consults on children’s rights online and more...

UK unveils global data plans

The Department for Digital, Culture, Media & Sport has published a series of measures aimed at boosting growth, increasing trade and improving healthcare.

The measures named in the package include plans to agree a series of post-Brexit ‘data adequacy’ partnerships with the United States, Australia, the Republic of Korea, Singapore, the Dubai International Financial Centre and Colombia. The UK will also prioritise future partnerships with India, Brazil, Kenya and Indonesia. The ‘data adequacy’ partnerships are formed with countries deemed to have high data protection standards and mean organisations do not have to implement additional compliance measures to share personal data internationally. A Mission Statement on the UK’s approach to international data transfers and the ‘UK Adequacy Manual’ were also published on the same day.

The press release also confirmed that New Zealand Privacy Commissioner John Edwards is the government's preferred candidate to be the UK’s next Information Commissioner. The announcement stated that Mr Edwards would be "empowered to go beyond the regulator’s traditional role of focusing only on protecting data rights, with a clear mandate to take a balanced approach that promotes further innovation and economic growth".

Additionally, the government plans to launch a consultation on the UK's future data regime, aimed at ensuring that it is "even more ambitious, pro-growth and innovation-friendly", whilst also "underpinned by secure and trustworthy privacy standards".

UAE announces new Federal Data Law

The UAE has announced that it intends to enact a new Federal Data Law (Data Law) as part of its ‘Projects of the 50’, a series of developmental and economic initiatives marking the UAE's 50th anniversary this year. The Data Law constitutes a significant development in modernising the UAE's onshore data protection laws and may even represent the first stepping stone to "Adequacy" decisions from other regulators, both in the UAE's financial freezones and globally. To read our Middle East team's expert analysis of the new Data Law, click here.

ICO Children’s code comes into force

The Information Commissioner's Office's (ICO) Children's code came fully into force on 2 September 2021, with the ICO publishing an introduction to the code, containing a list of 15 standards that online services need to follow. The code applies to all UK-based companies and any non-UK companies who process the personal data of UK children, even if children are not the target audience. The aim of the code is to ensure companies are complying with their obligations under data protection law to protect children’s data online.

In the week prior to the code coming into force, Stephen Bonner, the ICO’s Executive Director of Regulatory Futures and Innovation, published a blog detailing the expected impact of the code alongside plans for how the ICO will engage with social media platforms, video and music streaming sites and the gaming industry to ensure their services are adapted in line with the code. The ICO also has the power to provide support to companies in doing this as well as investigate or audit organisations where it deems necessary.

EDPB calls on Irish SA to amend WhatsApp decision

The European Data Protection Board (EDPB) has requested that the Irish SA amend its draft decision regarding WhatsApp Ireland Ltd, to provide greater clarity regarding the infringements of transparency and amendments to the way in which the fine has been calculated and the period for the order to comply.

Key elements of the EDPB statement focus on:

• Transparency: The EDPB has requested that the Irish SA include a finding of an infringement of Art. 13(1)(d) GDPR, in addition to its existing findings of a severe breach of Art. 12-13-14 GDPR. The EDPB has also clarified that, while not every infringement of Art. 12-14 GDPR necessarily entails an infringement of Art. 5 (1) (a) GDPR, in this particular case there has been an infringement of the transparency principle enshrined in Art. 5(1)(a) GDPR.
• Collection of data of non-users: The EDPB found that the procedure used by WhatsApp IE does not lead to anonymisation of the collected personal data.
• The imposing and calculation of the fine: The EDPB ruled that, in this case, the consolidated turnover of the parent company (Facebook Inc.) is to be included in the turnover calculation to ensure the fine is effective, proportionate and dissuasive in accordance with Art. 83(1) GDPR. The EDPB also decided that the six-month deadline for compliance imposed by the Irish SA was too long, and requested that the deadline be reduced to three months.

For details on the EDPB's urgent binding decision asking the Irish SA to carry out statutory investigation in the processing of WhatsApp user data by Facebook IE, see our Data & Privacy News update from 28 July 2021.

European Commission consults on children’s rights online

The European Commission has published a consultation on ways it can promote, protect, respect and fulfil the rights of all children and young people online. The consultation seeks input from stakeholders from across Europe including parents and carers, teachers and educators on a series of topics including:

• the opportunities and benefits for children and young people online;
• the challenges and risks which they might face;
• who should be responsible for improving online experiences; and
• what policy makers need to do over the next decade to bring about change.

The consultation forms part of the wider European Commission digital compass which was presented in March 2021 and maps the EU’s digital ambitions for the next ten years. The digital compass aims to ensure that the digital world is fit for the future and can allow everyone to benefit from all the opportunities it can offer. The consultation closes on 11 October 2021.