On 26 April 2006, the Council of Europe decided to launch a Data Protection Day to be celebrated each year on 28 January. The day is intended to raise awareness of rights under data protection and privacy legislation.
Generally, awareness of individuals’ data protection rights has increased over the last few years. However, some businesses are still falling short of their obligations under the data protection legislation.
Over the past year, European and UK data protection regulators imposed some eye watering fines for data protection legislation breaches. For instance, the Irish regulator imposed fines of 265 million Euros against Meta and 405 million Euros against Instagram; and the Information Commissioner's Office (ICO) in the UK fined Clearview AI £7.5 million and Interserve Group Ltd £4.4 million.
Data protection regulators have seen an increase in reports of breaches of data protection legislation. Whilst there has been an increase in cyber-attacks reported, the most reported breaches are still wrongly sent out emails.
The investigations undertaken by the regulators into reported breaches have all mentioned the importance of being able to evidence your compliance with the data protection legislation for processing personal data. This evidence includes having policies which address personal data, procedures, frameworks, and an ongoing governance programme. It also means undertaking and documenting a continuous assessment of risks associated with the businesses processing of personal data and being able to demonstrate that you have reacted appropriately to those risks, including ensuring that all staff are trained, not just in general data protection compliance but specifically to the risks faced by your business.
With the advent of the new year, it is a good time to ensure your business’s policies and procedures are up to date. It’s also worth remembering that the ICO is now publishing all reprimands issued.
It is a good idea to check the lawful basis being used for your processing of personal data, as the recent European Data Protection Board decision confirmed that processing personal data for the performance of a contract has been discounted as a lawful basis when in connection with the processing of personal data for the delivery of behavioural or personalised advertising.
2022 also saw some changes to data protection rules in the UK and the EU.
The ICO introduced new documents for data transfers outside of the UK using International Data Transfer Agreements (IDTAs) and the UK addendum to the Standard Contractual Clauses to ensure the appropriate safeguards are in place. The ICO also issued a transfer risk assessment document to help assess whether the relevant protections for people under UK data protection rules will be undermined. Contracts which have international transfers of personal data will need to be updated by 21st March 2024, or beforehand if you significantly change your processing.
The EU also passed the Digital Markets Act and the Digital Services Act, which will determine how large online platforms operate in the decades to come to ensure fair competition and more choice for users.
Looking ahead to 2023, there are likely to be more changes to the data protection rules.
2022 saw the announcement of the Data Protection and Digital Information Bill, with the intention to make UK GDPR and data protection compliance more agile, easier to understand and comply with. Whilst it seems to be on hold, the rumour mill has us believe that we can expect extensive changes in the new Bill later this year.
The Data Protection and Digital Information Bill will also address the rules on cookies and direct marketing and is likely to strengthen the ICO’s enforcement powers. At the ICO conference in 2022, the ICO warned that it would increase fines imposed for breaches of direct marketing rules especially if there was evidence of the business targeting vulnerable individuals.
With the government’s proposed Retained EU law (revocation and reform) Bill expected this year, the UK GDPR and PECR could be a distant memory. With our adequacy decision due to expire on 27th June 2025, we wait with bated breath whether and how far the UK will move away from GDPR. It is of note that the adequacy decision from the EU relies upon the UK being able to provide an equivalent level of protection for personal data to that afforded by EU member states.
The ICO continues with its progress under its ICO25 plan with its objectives to safeguard and empower people, empower responsible innovation and sustainable economic growth, to promote openness, transparency and accountability, driven by its values, and it will continuously develop the ICO's culture, capability and capacity.
The ICO has also been consulting on the age-appropriate design code of practice, by looking at making the internet a safer place for children to learn and play. It is also in the consultation stage of the data protection and journalism code of practice, looking at how personal data is processed for the purposes of journalism.
The ICO’s consultation on monitoring employees in the workplace ended on 20th January 2023, so we will hopefully get some guidance during 2023 on this.
In Europe, they are looking at introducing the Artificial Intelligence Act, the Data Act and Data Governance Act. The EU is also looking at finalising the EU–US privacy framework and is likely to be in place by summer 2023. It is likely that the UK–US transfer mechanism will follow this.
The UK is also looking at an adequacy decision with India.
If you or your organisation have any queries on how to establish a compliant data privacy culture and implement the principles of data protection and effectively safeguard an individual’s rights, please contact Eleanore Beard in our Data Protection Team.
