Plain Speaking on Data Protection

The past few months have been very busy on the data protection front. A new Information Commissioner, a new focus on ‘Ad-Tech’ (more later), and some increasing concerns on the EU’s ‘Adequacy Decision’.

Moreover, the UK has been busy negotiating with the United States and is introducing new standardised documents to try to keep information flowing, whilst keeping everyone happy in the process. 

New Information Commissioner

Although worthy of note, the appointment of John Edwards as the UK’s new Information Commissioner in January 2022, would not normally have been the subject of news headlines. It will be interesting to see how the new incumbent will develop the Information Commissioner’s Office (ICO) in the short term, particularly given his liking for Twitter and direct speaking.

It’s pleasing to hear that the British public has already made a good impression on the New Zealander after a civic-minded citizen gave him a pound coin to unlock a baggage trolley at Gatwick airport on arrival to take up his new appointment. It is in keeping with his new role that he didn’t take the individual’s personal details so that he might return the coin.

At his pre-appointment hearing Mr Edwards had indicated his lack of enthusiasm for broadening freedom of information access to private firms involved in public sector contracts; so there may be a change of direction from that pursued by his more liberal predecessor. 

It is also noted that we may need to get used to a more antipodean bluntness from the ICO. On discussing the dichotomy of strong regulation against innovation, Edward’s stance was very clear: 

‘It’s bulls***’.

International Data Transfer Agreement (IDTA) 

In March, the ICO advised that the new UK form of IDTA, and an addendum to the European Commission’s Standard Contractual Clauses are now in force. 

The IDTA is a contract which the ICO requires firms to use when making a restricted transfer of personal data to a country outside the UK. They believe it contains appropriate safeguards for the transferred data, including enforceable data subject rights. Hopefully, this will provide sufficiently similar protections to UK citizens in the event of dispute. 

The new documents and text can be used immediately, but must be in place by March 2024.

The Adequacy Decision 

We are only a few months into 2022, with more than three years left until the European Commission must next decide whether the UK remains good enough to retain its membership of the select band of countries with which data can be shared quickly and easily. 

Unfortunately, the four-yearly review is already coming under strain from the UK Government. Although slightly more interesting than the Olympic Games (a personal opinion), there is already anticipation that we might not want to take part next time. 

We’ve already told the EU that “reforming [the UK’s] data laws so that they’re based on common sense, not box-ticking …” is important to us. This was seen as a way to kickstart new arrangements with other countries, including the USA, Singapore, South Korea, Brazil, and Australia. 

There has always been a worry that major deviations from EU regulation could risk the UK’s standing in the eyes of the EEA states we share an agreement with. Of particular concern has been the proposed data sharing relationship with the US.

Following questioning in Parliament in April 2022, Helen Whatley, a Treasury Minister, said: “The UK regained autonomy over its domestic data-protection laws on 1 January 2021 and exact alignment to EU law is not a requirement for EU data adequacy… (this is), helping to drive growth, innovation, and competition across the country. 

“The economic impact of any future legislation to implement these reforms will be assessed in the usual way, and we will continue to engage with EU counterparts, as appropriate, on these issues. The government response to the ‘Data: a new direction’ consultation will be published in the spring.” 

At a basic level, we need to be prepared for further regulatory change, but we must also hope that any advantages do not come with damaging consequences to data transfer across the Channel into Europe. The new Information Commissioner has already advised that any change by the UK that affected data adequacy in this way would need to ‘significantly outweigh’ the impact of damaging the country’s relationship with the EU.

European Developments – Data Governance Act 

Although the UK has left the EU, we must remember that ‘Global Britain’ still needs to trade with its partners on the other side of the English Channel and the Irish Sea. This means that data passing in those directions need to comply with EU law, including the EU Data Governance Act. (Note- we aren’t just talking about ‘personal’ data here!)

This is only part of the ‘European Strategy for Data’, and more can be expected to follow from the EU over the coming months. 

Procedural steps have now concluded, the EU Act will come into force across the twenty-seven member states in the summer of 2023, covering “any digital representation of acts, facts, or information…”. 

There are several key points that those responsible for data protection in firms need to be aware of, including: 

Data Intermediary Licences – Organisations that supply data, but don’t ‘add value’ (i.e. process it in some way) will need to become licence holders, meeting conditions that should ensure their independence whilst restricting their re-use of data itself. This will certainly impact on the online marketing and advertisers we have come to know and love as we are targeted through personal interests, such as our favourite Bristol Rovers fan site. (Just me?) 

Data Altruism – There is no doubt that the use of the huge amount of data available on individuals and groups can be used for good, as well as simple commercial gain. The Act aims to encourage the ‘good’ by promoting the not-forprofit use of data through bodies becoming ‘data altruism organisations’. 

Although it is up to each member state to fully define the licencing system itself, it is expected to cover areas such as healthcare, combating climate change, improving public services, and scientific research purposes in the population’s general interest. 

Non-Personal Data – This is an important bit! GDPR focusses on the individual, whereas the Data Governance Act covers everything and everyone. Organisations will need to look to the protections afforded to non-personal data by third countries, including the ability of the authorities in those countries to access the data. Now sitting outside the EU, the UK qualifies as a third country, so the issue of ‘data in’ needs to be considered here, as well as ‘data out’. It remains to be seen how well the UK Government takes to not being allowed access to EU data stored or processed here.

More European Developments – The Data Act

Not content with introducing the Data Governance Act, in February 2022 the European Commission proposed a second batch of changes going by the less imaginatively named ‘Data Act’. Whilst it is likely that its name will expand in the future, it is also likely that the Act’s impact will too. 

Based on the sharing of ‘industrial data’, there is a hope that by legislating now, problems arising from the Internet of Things (IoT) will be reduced. Knowing how much milk is sitting in someone’s kitchen may seem innocuous, but a lot can be gleaned about a person from the data their fridge, oven and washing machine quietly provides to marketeers. Add in banking details for purchases and the risks start to mount.

The European Commission has estimated the value of the data economy to be over the €270 billion mark in the next six years, so there’s no time like the present to start regulating. If all goes to plan, the Act should hit member states in 2024. 

At the moment, IoT information ends up with the manufacturer of the white goods, but these data are too precious to stay there. In addition to Hotpoint knowing the temperature you wash your jumpers at, the Data Act will apply to the data intermediaries. This can make the information available to data purchasers, public bodies, and data processors. Although oversight is increased, there is a positive side for the users of this type of information, a push to standardised data formats across the IoT. 

Like the Data Governance Act, this expands a GDPR-like data control to non-personal information. UK manufacturers, funders and regulators need to be aware of what our European neighbours are doing, to avoid being left behind. 

Even More European Developments – EU/US Agreements 

In 2020, the EU/US Privacy Shield agreement failed, over a range of areas where harmonisation proved a little too difficult to maintain. 

Ironically, the US has a more ‘laissez-faire’ approach to corporate data sharing than the French and seems to take more ‘schadenfreude’ from imposing government oversight than the Germans. It does seem that a concord(e) is fast approaching, with a US Department of Commerce Director, Alex Greenstein, saying that EU and US negotiators are approaching the “the home stretch” regarding a personal data transfer mechanism perhaps before the mid-point of 2022.

Following ‘Safe Harbour’ and ‘Privacy Shield’, it will be interesting to see what name they conjure up for this new initiative. 

Unfortunately, with the irony meter approaching the top of the scale, this EU/US agreement may impact on our own UK/US negotiations and could damage the EU/UK Adequacy Decision for 2025. Although agreement will not have direct effect on UK to US transfers, it may affect the IDTA content in the future, which would be a blow to Brexit ‘independence’. What a terribly tangled web is being woven.

In Conclusion 

A new UK Information Commissioner, a new International Data Transfer Agreement, new government instructions, and the same old EU paper factory churning out more regulatory change. There’s always plenty to be getting on with and it’s just becoming a little harder to keep on top of it all. 

When working in the data protection field, some may think it dull, some may think it is lacking in excitement. But I can safely say that, as a Bristol Rovers fan, there are far more boring places to be than trying to analyse and implement each novel development in data protection. 

To paraphrase our new commissioner, that’s no bulls***.