The bill would largely build on the UK data protection regime’s EU GDPR-style framework, albeit with UK-specific provisions.

By James Lloyd, Fiona M. Maclean, Calum Docherty, Irina Vasile, Alex Ford-Cox, and Amy Smyth

The UK government introduced the Data Protection and Digital Information Bill (the Bill) to Parliament on 18 July 2022, following the publication of its response to the consultation “Data: a new direction” (the Consultation). (For more information on the Consultation, see this Latham blog post.)

The Bill details the government’s proposals for reforming the current UK data protection regime (consisting primarily of the UK Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR)).

This article presents an overview of the proposed changes. In part 2, we provide a deeper dive into certain key provisions.

In summary, the proposed changes — while broad in scope — do not amount to a wholesale change in direction for UK data protection laws. Assuming the Bill is passed without amendment, the UK regime would largely build on the current EU GDPR-style framework, albeit with UK-specific provisions. The changes can be grouped into two categories: (1) a more risk-based / outcome-focused approach and (2) developments in key areas around accountability, data subject rights, security, and legal grounds for processing.

Areas of interest include anonymisation, “recognised legitimate interests”, and the ICO’s role.

By James Lloyd, Fiona M. Maclean, Calum Docherty, Irina Vasile, Alex Ford-Cox, and Amy Smyth

The UK Data Protection and Digital Information Bill (the Bill) sets out the government’s proposals for reforming the current UK data protection regime (consisting primarily of the UK Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR)). While broad in scope, the proposals do not amount to a wholesale change in direction for UK data protection laws. Assuming the Bill is passed without amendment, the UK regime would largely build on the current EU GDPR-style framework, albeit with UK-specific provisions. The changes can be grouped into two categories: (1) a more risk-based / outcome-focused approach and (2) developments in key areas around accountability, data subject rights, security, and legal grounds for processing.

This article provides a deep dive into certain key provisions of the Bill. In part 1, we provide an overview of the proposed changes.

UK government sets out ambitious proposal for reforming the UK data protection landscape.

By Gail E. Crawford, Ian Felstead, Fiona M. Maclean, Irina Vasile, Timothy Neo, and Amy Smyth

On 17 June 2022, the Department for Culture, Media and Sport (DCMS) published its response to its consultation “Data: a new direction” (the Consultation), setting out the government’s plans to reform the UK data protection regime.

These reforms are part of the UK’s National Data Strategy, which seeks to shift focus from prescriptive requirements to a risk-based approach, thereby making data protection less burdensome for businesses and enabling them to protect personal data in a proportionate and appropriate way. The DCMS has indicated, in comments at a recent conference, that the intention and direction of travel is to build on, improve, and clarify the approach that the UK will take with the UK GDPR in a way that benefits businesses whilst maintaining the same level of data protection for individuals.

This blog post scrutinises some of the Consultation’s key takeaways. For a full list of proposals that are being taken forward pursuant to the Consultation, see this response Annex.

Update confirms the introduction of an active “duty of care” and a dedicated regulator, as part of a comprehensive new online regulatory regime.

By Alain Traill, Rachael Astin, Gail E. Crawford, and Patrick Mitchell

Following a wave of commentary from industry, the social sector, and other organisations, on 11 February 2020 the UK government set out preliminary details of a new regulatory regime to govern content posted on online platforms. The details were released in an initial response to last year’s online harms white paper, with a full response expected this spring. While some changes have been made to the white paper proposals, seemingly in response to concerns raised by industry and other stakeholders, the government has confirmed that it will introduce an active “duty of care” on organisations to prevent certain content from appearing on their platforms.

The proposed new regime mirrors similar steps taken in other jurisdictions, e.g., Australia, to protect against harmful content online. It is also in-line with the direction of travel of platform regulation at a European level, taking into account, for example, changes to the AVMS Directive (EU) 2018/1808 (AVMSD) to regulate video-sharing platform services (VSPs) in relation to protection of minors and harmful content, and the planned EU Digital Services Act, which is likely to introduce changes to EU law regarding the liability of platform providers for content posted using their services.

Despite progress, the online advertising industry and UK regulators are still at odds over the “legitimate interest” definition under the GDPR.

By Olga Phillips and Elizabeth Purcell

Following publication of the UK Information Commissioner’s Office’s (ICO’s) report on adtech and real time bidding in June 2019, the ICO has been working closely with the online advertising industry to improve data protection practices by the end of the year.

Simon McDougall, the ICO’s Executive Director for Technology Policy and Innovation, reportedly stated at the recent AdTech London event that the ICO has made progress with the industry, including through workshops with Google and the Interactive Advertising Bureau Europe (IAB), which were both featured in the June report. However, McDougall noted that there is still “a very big difference” in how the online advertising industry and the ICO view the “legitimate interest” legal basis for processing personal data under the General Data Protection Regulation (GDPR). The ICO has yet to be convinced of the use cases in which the industry is seeking to rely on the legitimate interest basis.

UK data protection regulator demands companies in the RTB ecosystem re-evaluate privacy notices, use of personal data, and lawful basis.

By Robert Blamires, Calum Docherty, Laura Holden, and Lucy Tucker

The UK Information Commissioner’s Office’s (ICO’s) latest report into adtech and real time bidding (RTB) (the ICO Report) provides a stark assessment of the adtech sector’s use of personal data in RTB scenarios. The ICO Report notes widespread compliance concerns that, in some cases, the ICO does not consider “will be addressed without intervention.” Organizations in this field should expect potentially more vigorous investigations and enforcement action if the ICO’s concerns are not addressed.

RTB is an online ad-buying process by which advertising space on websites is bought and sold via an instantaneous “programmatic” auction. During the auction process, a wide range of data (mostly originated from cookies) can be shared with multiple advertisers who place real time bids for relevant ad space. 

The proposals would grant consumers increasing rights to require providers to share access to their data directly with chosen third parties.

By Alain Traill and Gail Crawford

The UK government has released a consultation advocating the introduction of sweeping new requirements for service providers to share both consumer data (upon request) and data regarding their own products and services, with third parties. The proposals, released on 11 June 2019 by the Department for Business, Energy and Industrial Strategy (BEIS) in its Smart Data report and consultation, are indicative of a wider drive toward requiring companies to free up access to the data they hold. The drivers behind this include a desire to increase competition, foster the growth of data-driven services, and improve consumer choice.

The proposals follow the introduction of a range of sector-specific initiatives in the UK and is part of a concerted government focus on digital strategy, as evidenced in its recent white paper on Regulation for the Fourth Industrial Revolution, as well as the National Data Strategy introduced last year.

The ICO issued notices of intent to fine British Airways and Marriott. What happened?

By Gail Crawford, Fiona Maclean, Hayley Pizzey, and Calum Docherty

On 8 July 2019, the UK Information Commissioner’s Office (ICO) announced a notice of intent to fine British Airways £183.39 million (about US$230 million) for violating the General Data Protection Regulation (GDPR). The proposed fine is the largest to date under the GDPR, and equals 1.5% of British Airways’ 2017 global turnover, according to the Financial Times. It follows months of investigation after British Airways notified the ICO of a security incident that led to the theft of customer data in September 2018.

Then on 9 July 2019, the ICO announced a notice of intent to fine Marriott International £99.2 million (about US$124 million) for infringements of the GDPR stemming from a data breach at Starwood, which it acquired in 2016. According to the Wall Street Journal, this fine represents 2.5% of Marriott’s global revenue. Marriott initially announced the data breach in November 2018, which led to an ICO probe.

UK publishes White Paper with hard-hitting regulatory proposals to tackle online harms.

By Alain Traill, Stuart Davis, Andrew Moyle, Deborah Kirk and Gail Crawford

On 8 April 2019, the Home Office and the Department for Culture, Media and Sport (DCMS) published an “Online Harms White Paper”, proposing a new compliance and enforcement regime intended to combat online harms. The regime is designed to force online platforms to move away from self-regulation and sets out a legal framework to tackle users’ illegal and socially harmful activity. Although the regime appears to target larger social media platforms, the proposals technically extend to all organisations that provide online platforms allowing user interaction or user-generated content (not limited to social media companies or even ‘service providers’ in the traditional sense) and set out a potentially onerous and punitive compliance and enforcement regime for a broad set of online providers.

Companies should identify data flows, implement a data transfer solution, and update internal documents and privacy notices.

By Fiona M. Maclean and Jane Bentham

Since our blog on “What a “No Deal” Brexit Means for UK Data Privacy”, the European Data Protection Board (EDPB) has published two information notes on data transfers in the event of a “no deal” Brexit:

  • A general note on the various data transfer mechanisms (and exceptions) under the GDPR
  • A specific note on the Information Commissioner’s Office (ICO), the UK regulator, as a Lead Supervisory Authority for Binding Corporate Rules

The UK government has also issued a paper titled “Implications for Business and Trade of a no Deal Exit on 29 March 2019,” including a small section on data transfers. The paper states that the government’s primary aim is to ensure that the UK leaves the EU on 29 March 2019 (the Exit Date) with an agreed and approved Withdrawal Agreement and Political Declaration (the Proposed Deal). Of course it is possible that Brexit may be delayed by extending Article 50 to give the UK more negotiating time with the EU.