The big news stories in the world of data protection keep on coming.

On 17th June 2022 the DCMS published its long-awaited response to its Consultation, Data: a new direction. The response provides the first clear indication of how the UK's new data protection law will deviate from the GDPR's blueprint, and how the government hopes to create opportunities for innovation and growth by reframing compliance obligations for organisations processing UK personal data. We have produced a quick reference guide to some of the key changes that are expected as part of the anticipated Data Reform Bill, and you can also see our Webinar on this topic on our Data Download page.

This issue of Data & Privacy News also covers some interesting changes to the ICO's approach to enforcement, calls for greater regulation of live facial recognition and other biometric technology, and more developments on international data transfers. 

Draft Irish DPC decision on Meta's EU exports

The Irish Data Protection Commissioner (DPC) has issued a draft decision which proposes a prohibition on the transfer of personal data by Meta from Europe to the US. 

The decision relates to the "own volition" investigation the DPC launched against Meta in the aftermath of the Schrems II decision. It calls into question the lawfulness of transfers currently taking place based the standard contractual clauses Meta has in place with data importers in the US. 

The distribution of the draft decision is an important procedural step, as it indicates the regulator's intention to take drastic action to enforce the CJEU's strict interpretation of the GDPR. It triggers the Article 60 procedure under the GDPR and means other data protection authorities in Europe (whose citizens may be affected by the decision) have four weeks to review the draft decision and consider whether they wish to make any "relevant or reasoned objections". Max Schrems has stated that he expects there to be some objections raised, as the DPC's draft decision does not sufficiently address all of the major issues in the case. If such objections are raised and cannot be easily satisfied by the DPC, the deadlock could last several months before being resolved by the EDPB.

With progress on the proposed EU-US Transatlantic Privacy Framework continuing to stall, it is currently unclear what level of interruption there could be to Meta's service offering in the EU in the medium term.

Information Commissioner announces fresh approach to engaging with public authorities

The ICO has published an open letter to the UK's public authorities, setting out its new approach towards enforcing data protection rules against them.

The letter, penned by new Information Commissioner John Edwards who took office at the start of the year, sets out the regulator's intention to trial a new enforcement strategy, based a more collaborative approach. Edwards' plan is to help organisations to prevent data protection harms before they arise, and support compliance through engagement, education on best practice, warnings and enforcement notices. 

This new direction will mean resorting to imposing fines only in cases involving egregious failures to uphold data protection standards. In those rarer cases where monetary penalties are imposed, this will be at a discounted level to prevent public services being adversely impacted by ICO enforcement action. 

To ensure enforcement decisions continue to offer valuable guidance to public and private sector organisations alike, the ICO will continue to publish decision notices specifying the fine that would have been imposed if it had not been discounted. 

Mr Edwards' letter however also carried a warning for public bodies that this trial should be no excuse for complacency: 

"I also expect to see investment of time, money and resources in ensuring data protection practices remain fit for the future. This is a two-year trial and, if I do not see the improvements that I hope to see, then I will look again."

This is the first of several new initiatives that will be announced in the coming weeks as part of the ICO’s new three-year strategic vision, encouraging organisations to innovate with due regard to the responsible use of personal data.

ICO to retain a proportion of MPN revenue

The ICO has announced that it has reached an agreement with the Treasury and DCMS that it will be able to retain a proportion of the fees generated through issuing monetary penalty notices.

Until now, the entirety of such sums had to be passed to the Government's central consolidated fund, with part of the rationale being to avoid any potential allegation that the ICO would issue large fines because it would directly benefit from that income.  However, the resources of regulators with such a broad remit are becoming increasingly stretched and several other regulators in Europe are already permitted to retain income from penalties to help cover their operating costs.

The new policy however is subject to some limitations; the amount the ICO can retain is capped at £7.5 million per year, and the money can only be used to cover litigation expenditure (i.e. external experts and counsel). The fund will be subject to the jurisdiction of the National Audit Office to ensure these rules are fully observed, and details will be included in the ICO's annual report. 

UK reaches agreement with Republic of Korea on data adequacy

On 5th July 2022 the UK government announced that it had reached an agreement in principle with the Republic of Korea on data adequacy. This will allow UK organisations to freely transfer personal data to the Republic of Korea without the need for additional safeguards to ensure they are lawful.

The agreement, entitled a "Memorandum of Understanding on Cooperation in the Regulation of Laws Protecting Personal Data" is the first independent adequacy agreement concluded by the UK since leaving the European Union. The European Commission issued its own adequacy decision in favour of the Republic of Korea in December 2021. 

The UK government's response to the DCMS Consultation: Data: A New Direction confirms that the UK government believes there are numerous other jurisdictions which have implemented adequate data protection standards, and that the UK government has an ambitious plan to conclude several other adequacy agreements in the near term. These include Australia, Brazil, Colombia, the Dubai International Financial Centre, India, Indonesia, Kenya, Singapore, and the United States. As the European Commission has not yet issued adequacy decisions in relation to any of these jurisdictions, an adequacy agreement between any of their governments and the UK could have material implications for EU – UK data flows.

EDPB Guidelines on certification as a transfer tool

At the plenary session of the European Data Protection Board (EDPB) on 16th June 2022 it was announced that the EDPB has adopted new guidelines on Certification schemes. Where organisations subject to the GDPR seek to export personal data to a third country, Certification schemes are one of the potential tools available to ensure that such transfers of data are lawful. Following the CJEU's Schrems II decision and the EDPB's subsequent guidance, organisations continue to face challenges in ensuring that their exports of personal data from the EU are lawful. The main purpose of the EDPB's new guidelines is to raise awareness and provide further information on how this transfer tool may be utilised in practice.

The guidelines will be subject to public consultation until the end of September.

Independent review recommends ban on the use of LFR tech

The Ada Lovelace Institute (Ada) has published a report into the increasing use of live facial recognition technology (LFR) in the UK. Ada calls for a moratorium on the use of LFR in both public and private spaces, in view of the Report's findings that the framework for regulating the use of such technologies is currently inadequate to ensure the protection of individual rights. 

Biometric data, such as data relating to fingerprints, facial features and expressions, voiceprints, iris patterns, walking style and other data derived from analysis of the human body is uniquely personal. Ada highlights that such data is inherently linked to who we are and cannot generally be changed, hidden or separated from personal identity. As technological advances and increased reliance on such data in making decisions has outpaced specific regulation, there are concerns that processing this data could significantly infringe individual privacy rights, in turn causing damage to freedom of expression, association and assembly. 

While biometric data constitutes personal data, despite its sensitivity it is only treated as "special category data" under the UK GDPR (which requires specific, robust safeguards) when it is used for the purpose of identifying specific individuals. As a result, when biometric data is used instead for the categorisation of data subjects into groups without specifically identifying them, there is potentially a very significant gap in protection of those individuals' rights. 

The Report recommends:

(a) a new, specific law governing the use of biometric technology both for identification and classification, and in both public and private spaces;

(b) a new independent, national regulatory function specifically targeting biometrics, tasked with maintaining a register of all public-sector uses of biometric technologies;

(c) oversee assessments of new biometric technologies to ensure their accuracy and proportionality.

Key Contacts

Helena Brown

Helena Brown

Partner, Commercial and Data Protection & Head of Data
Edinburgh, UK

View profile
Ross McKenzie

Ross McKenzie

Partner, Commercial & Data Protection
Aberdeen, UK

View profile
Dr. Nathalie Moreno

Dr. Nathalie Moreno

Partner, Commercial and Data Protection

View profile
Claire Edwards

Claire Edwards

Partner, Commercial and Data Protection

View profile