By Jade Kowalski, Charlotte Halford, Christopher Air, Hans Allnutt, Rebecca Morgan, Christopher Little, Astrid Hardy, Zoe Carpenter & Omar Kamal

|

Published 22 July 2022

Overview

Introduction

On 19th July 2022 the Information Commissioner’s Office (ICO) held its annual Data Protection Practitioners’ Conference – the first since John Edwards took on the role of Commissioner. There was no shortage of content on a variety of topics including international data transfers and the role of the ICO.  

Your DAC Beachcroft data protection and cyber team was dialled in and listening intently to pick out the top takeaways.

ICO25

A key theme running through many of the sessions was the ICO’s draft strategic plan “ICO25” and, in particular, the four proposed strategic objectives to (i) safeguard and empower people; (ii) empower responsible innovation and sustainable economic growth; (iii) promote openness, transparency and accountability; and (iv) continuously develop the ICO’s culture, capability and capacity. These objectives will drive ICO activity and enforcement over the next three years. The plan is open for consultation until 22 September and will be finalised in the Autumn.

Reform: The Data Protection and Digital Information Bill

There was a generally a positive outlook from the Conference in respect of the proposed Data Protection and Digital Information Bill and the reform of the UK data protection regime. It was recognised that the proposed reforms strike a good balance between improvement and giving people confidence in their use of personal data. In respect of accountability, the ICO appeared positive regarding the replacement of the role of the Data Protection Officer with a senior responsible individual, as this would increase flexibility for businesses in complying with their data protection obligations. The ICO also expressed optimism about the benefits the reforms will have in allowing organisations to take a proportionate approach based on the types of data that they are using. Although it was noted that it was too early to understand the impact of the proposed UK law reforms on cross border data transfers, it was acknowledged that this is high on the Government’s list of issues to address. In respect of a future EU adequacy finding for the UK, the ICO appeared confident that data is equally protected in the UK as it is within the EU. Overall, the ICO underlined its commitment to providing appropriate support to organisations in complying with the future legislation and welcomed the increased ability to allocate its own resources.

A detailed update on the Data Protection and Digital Information Bill will follow in due course.

Technology and Innovation

In one of the Conference sessions, Adam Ingle from the new foresight team summarised the following 5 emerging technologies which the ICO will be focussing on in the next year, which all involve processing of personal data in innovative ways:

  • Biometric technologies – an emerging and controversial use of biometric data is to infer someone’s emotional state, using algorithms to predict for instance whether someone with an agitated facial expression or certain gait in their walk could pose a security threat and to issue a warning to security staff to treat them with suspicion.
  • Blockchain – whilst Blockchain offers significant potential for sharing data more freely, without the risk of data being lost, it also poses challenges from a privacy perspective – as personal data on the Blockchain will be available for anyone to view indefinitely, and is unlikely to be capable of being fully anonymised.
  • Smart spaces – the next generation of the Internet of Things (IoT) will involve interconnected environments, e.g. micro sensors in the office and home environments collecting data which blurs the distinction between data collected at work and home.
  • Immersive technologies – there are question marks around how augmented and virtual reality interact with information rights and certain concerns around uses of such data e.g. for targeted advertising.
  • Privacy enhancing tech – PET – solutions such as the trusted execution environment offer the potential to improve anonymisation and data security, enabling companies to maximise the value of data sharing etc., whilst ensuring that suitable protections are in place to deliver compliance.

Building responsible AI

This presentation focussed heavily on the ICO’s “AI and Data Protection Toolkit”, which is designed to:

  • identify risks to individuals’ rights and freedoms caused by the use of AI systems;
  • connect those risks to what is mandated under the UK GDPR;
  • then provide practical steps to help mitigate the identified risks; and
  • make it easier for companies using AI to comply at each AI lifecycle “stage” with data protection legislation.

The practical steps which organisations are able to take when a risk is identified fall into the following three categories: (1) a “must” which represent legal requirements, (2) a “should” which represent what the ICO consider to be best practice, or (3) a “could” which represent optional good practice.  The ICO hopes that this tiered system will make decision making when faced with data processing risks a simpler and more manageable process. 

The ICO believes in particular that the following three broad groups are likely to benefit from the Toolkit: risk and governance teams (for example the DPO and/or Legal and Compliance functions), AI model development teams, and members of an organisation’s senior leadership (as such individuals are likely in reality to provide sign off for data processing which takes place in an AI system).

International Data Transfers

During another session, the ICO unveiled its much-anticipated approach to TRAs, and is expected to publish its guidance on this by September at the latest.

Emma Bate, Director of Legal Services at the ICO, gave a preview of what we can expect to see later this Summer, with the proviso that the guidance has not yet had formal sign-off. Despite that, she said, it does give a flavour of the ICO’s approach.

Two main options in terms of an approach to a TRA were outlined:

  • Option one: an assessment comparing the laws and practices of the UK (including the UK GDPR) to the laws and practices of the destination country; or
  • Option two: an assessment comparing the position of the data subject in the particular circumstances of the transfers (a) if the data remains in the UK and (b) if the proposed transfer goes ahead.

For those organisations operating in the UK and Europe, or for those who have been working on their TRA processes based on the EDPB guidance, this is good news: option one essentially means that a TRA based on the EDPB guidance will meet the ICO’s requirements. If desired, you could therefore use the same process for both Europe and the UK.

The TRA tool being proposed by the ICO will involve a seven-step process and will include consideration of the level of risk to data subjects in the personal data that you are transferring. What also came across clearly was the recognition that the TRA process should be reasonable and proportionate for organisations to manage.

We all eagerly await the final publication of the guidance.

Data breach compensation claims -  a new role for the ICO

In a panel session entitled “Ask the ICO”, John Edwards was asked to explain the main differences between his current role as the UK Information Commissioner and his previous role as New Zealand's Privacy Commissioner. Interestingly, his response hinted at the mechanism in New Zealand for individuals to raise concerns of data protection complaints and allegations of distress to the Privacy Commissioner directly. In New Zealand, John Edwards explained, the Privacy Commissioner investigates complaints and if there is a valid claim for compensation for distress then it will assist with settlement negotiations between the individual data subject and the organisation. No such mechanism exists in the UK as of yet. In the UK, we have seen a significant increase in data breach compensation claims over the past two years, but these are ordinarily handled by claimant law firms, in correspondence with data controllers, or their lawyers, direct.

John Edwards noted that there "was scope for [the ICO] to emulate that [in the UK]", and that the ICO would adopt a "dispute resolution mindset", where it is possible and reasonable to do so. It is yet to be seen how the ICO envisages this role would be undertaken but it is clear from John Edwards' remarks that it is on the ICO's agenda. Although this may be welcome news for data controllers who receive numerous compensation claim requests, we suspect that the news was not well received by claimant law firms who may ultimately lose business as a result. We query how such a move would be resourced given the existing pressures on ICO staff. Perhaps a new compensation claims ombudsman would need to be created to deal with the likely high number of compensation claims received as we suspect the regulator will not have the capacity to deal with these just yet!

Moving forward

The Conference came just one day after the release of the new Data Protection and Digital Information Bill. As well as making amendments to core data protection law, the Bill (as currently drafted) seeks to amend the way the ICO itself is formed and operates. We will issue a full analysis of the Bill in due course.

Article Authors: Jade Kowalski, Charlotte Halford, Christopher Air, Eleanor Ludlam, Hans Allnutt, Rebecca Morgan, Christopher Little, Astrid Hardy, Zoe Carpenter, Omar Kamal

Authors