The Information Commissioner’s Office (“ICO”) has published an article entitled – “Data Protection: what to expect in 2022” – which focuses on the main developments from the UK but also includes EU developments that are likely to remain important to businesses that operate both in the UK and the EU.
We summarise the article below for you, picking out the key issues as we believe they relate to our clients. It will be interesting to see, throughout 2022, the extent to which the UK diverges from the EU rules when it comes to areas such as e-privacy, digital regulation and AI.
Confirmation of changes to accountability framework – some of the changes being considered include introducing a risk-based accountability framework that will be tailored to each organisation’s data processing work and based on a privacy management programme. There would be no longer the mandatory requirement to appoint a data protection officer, perform data privacy impact assessments or keep processing records. Prior to any changes the results of the analysis made by DCMS are awaited, they will confirm if the corporations will welcome these changes or if they will be considered just as burdensome as the existing ones.
The ICO is making an effort to enforce compliance with the UK GDPR whilst keeping up with the rapidly evolving digital landscape and understanding the challenges faced by organisations during the pandemic. The ICO will continue to engage constructively with corporations by providing guidance and evaluating projects.
A new statutory code to ensure compliance with data protection requirements will be presented in 2022 to Parliament, the code will provide guidance to media organisations and those involved in data processing for the purposes of journalistic work.
This is a way for an organisation to show it is complying with its data protection obligations. The ICO is keen to develop more certification schemes during 2022.
The Government’s proposal includes a list of cookies that would not require consent in order to be used, analytic cookies would be on that list. Third party cookies would still require consent and the proposed list would not exempt an organisation to provide comprehensive information about their cookies policies.
The DMS consultation seeks views on automated decision-making and profiling in order to reduce its restrictions and include the right to human intervention and collateral use of personal data.
Google’s proposal to remove third party cookies – Google’s proposal on “Google Privacy Sandbox” intends to enable targeted advertising by implementing alternative technologies that will allow cross-tracking and replace third party cookies. Google is confident that its Privacy Sandbox will allow for a healthy ad-supported web, this will force advertisers and publishers to adapt their procedures.
Richard Lloyd v Google ruling has made it more difficult to bring class actions on an opt-put basis for breaches of data protection law. Mr Lloyd’s arguments that “loss of control” over personal data is included within the meaning of the word “damage” in section 13(1) was supported by the ICO. A number of class actions have been put on hold waiting the outcome of this ruling and we wait to see if they will be continued.
Data security and data breaches will continue to be a focus for organisations and the ICO. Hardware, software misconfiguration and ransomware were where there was the biggest increase in incidents reported and therefore there may be a higher focus on these.
The ICO approved a certification scheme criteria that ensures personal data has been dealt with correctly whenever IT equipment is re-used or destroyed.
A preliminary paper on end-to-end encryption, including online safety, is expected to be published in early 2022.
The Product Security and Telecommunications Infrastructure Bill has been published by the Government. The Bill creates a regulatory scheme that makes consumer connectable products safer against cyber attacks.
The consultation has proposed the use of data intermediaries in the public, private and third sectors, to help manage data collection and sharing in an efficient and responsible manner.
The National Data Strategy aims to allow for a thriving and fast-growing digital sector by empowering Government and economy through the use of data and ensure public trust in its use. The Regulatory Sandbox will support organisations that provide services or products that use personal data in an innovative and safe way.
The EU Data Government Act will boost data sharing across different sectors and EU member states. This will not apply to the UK after Brexit.
Once the code of practice in in force, it will grant more powers to the ICO to enforce the Data Protection Act 1998 than the current direct marketing guidelines.
The DCMS consultation has proposed to extend “the soft opt-in” for electronic communications for direct marketing to also cover non-commercial organisations such as political and charitable organisations and proposes to grant further powers to the ICO by introducing new laws to prevent nuisance calls, texts and emails.
This regulation intents to tighten the rules on electronic direct marketing such as emails, texts and calls. This will not apply in the UK. However in view of its proposed territorial reach it is relevant to follow its progress.
New guidance on recruitment, employment records and the monitoring of workers and information about their health is expected from the Information Commissioner’s Office.
Data protection compliance issues may rise from employers monitoring their employees’ productivity while working from home, collection of vaccination status and data on work patterns and movements. Employers will have to work through and document any compliance issues.
The DCMS has proposed global data protection plans that aims to promote growth, increase trade amongst countries and help improve the public services. The proposals include:
John Edwards will have a challenging inbox to work through as the new Information Commissioner. Key issues include:
A fee structure is being considered in order to help the capacity to respond to such requests based on factors such as time, cost and scope. The ICO has drafted guidance on the rights of access individuals have in relation to personal data held for law enforcement purposes and what obligations the competent authorities have.
A consultation is being held on reforming the Human Rights Act and replacing it with a UK Bill of Rights, the consultation will close on 8 March 2022.
This Bill will apply to social media providers and search engines and includes the duty to protect rights of freedom of expression and privacy.
Unsolicited marketing communications continue to exist and be made by organisations such as American Express and Sports Direct regardless of the number of fines for infringements of PECR. DCSM has suggested increasing the fines to the same values as those under the UK GDPR, which could act as a significant deterrent.
ICO has suggested that the PECR should include extra territorial scope which would enable the ICO to pursue organisations that target UK citizens, even if outside the UK.
LFR poses a risk to data protection rights specially in a future where LFR is integrated with CCTV camera systems and combined with social media. A high bar has been set to justify the use of LFR and the pursuit of public protections has to be balanced with privacy and data protection concerns.
If you would like further information on any of the issues raised above or would like to discuss a particular issue with our data protection team, please contact Laura Trapnell or another member of our Data Protection team.