This article summarises the main developments that will affect data protection practitioners in England and Wales in 2022.
Scope of this resource
This article summarises the main developments that will affect data protection law practitioners in England and Wales in 2022.
Although this article summarises the main developments from a UK perspective, it does include EU developments as these are likely to remain of relevance in the UK for organisations operating across the UK and the EU and may be taken into account in applying and enforcing the UK GDPR. They are also worth noting in relation to the UK's adequacy assessment and the UK's need to retain a data protection regime essentially equivalent to that of the EU. A key area of interest for 2022 will be the extent to which the UK diverges from EU rules, not just in core data protection legislation following the Department for Digital, Culture, Media and Sport (DCMS) consultation (see DCMS: Data: A new direction (10 September 2021) and Article, DCMS data protection reforms: summary of consultation proposals) but in other areas such as e-privacy, digital regulation and AI.
Compliance
The principal focus of attention for organisations in 2022 will be the results of the DCMS consultation on the government's proposals to reform the perceived burden of complying with the UK GDPR (DCMS: Data: A new direction (10 September 2021)). Compliance generally and accountability are of perennial concern for organisations large and small, due to demands on time and resource allied with the threat of incurring a significant fine and damage to business reputation for significant breaches of obligations under the UK GDPR and Data Protection Act 2018 (DPA 2018). Key compliance developments awaited in 2022 include:
Confirmation of changes to accountability framework. Reforms to the UK data protection regime outlined by the DCMS in September 2021 (see Legal update, DCMS announces plans to reform UK data protection regime and Article, DCMS data protection reforms: summary of consultation proposals) will be further refined in 2022, following publication of the results from its consultation in due course (no announcement on timing has yet been made). Changes under consideration include a redesign for the UK GDPR's accountability framework by introducing a risk-based accountability framework based on bespoke privacy management programmes tailored to an organisation's individual data processing operations, and removing obligations to appoint a data protection officer, conduct data privacy impact assessments and maintain processing records.
Pragmatic scrutiny of compliance. The Information Commissioner's Office's (ICO) ongoing efforts to maintain an effective regulatory approach to compliance that remains in sync with a rapidly evolving digital landscape without impeding innovation is a recurring theme throughout this article. It continues to demonstrate empathy with the challenges for organisations to remain in step with the accountability framework during a pandemic, which will remain the position in 2022. See "ICO consultation on its regulatory approach" under Other developments.
As life for many will likely continue to remain heavily reliant on social media and video conferencing while work and everyday life continues to be disrupted by the pandemic for the foreseeable future, the ICO's relationship with the tech giants and others who provide and operate these services will continue to occupy centre stage in 2022. The ICO has demonstrated its appetite to enforce the UK GDPR on a provisional basis against Clearview AI Inc with the full extent of any fine and enforcement action to be confirmed in 2022 after Clearview has made its representations (see Sanctions and remedies and Technology). The ICO will also continue to engage constructively with businesses ranging from global tech giants to SMEs to help ensure their processing activities remain compliant, by publishing guidance or evaluating projects at their sandbox stage to help ensure that a data privacy compliant course is steered and maintained from the outset and throughout the lifespan of a new product. See "ICO consultation on its regulatory approach" under Other developments and Data sharing.
New journalism code. A final version of a statutory code that will apply to the processing of personal data for the purposes of journalism should be laid before Parliament in 2022. The code will provide practical guidance to help media organisations, journalists and others engaged in data processing roles relating to the publication of journalistic material comply with data protection requirements. For further information about the code, see Legal update, ICO consults on draft journalism code and draft economic impact assessment.
Certification schemes. Certification under the UK GDPR (Article 42) is a way for an organisation to demonstrate it is complying with its data protection obligations and show accountability. The development of certification schemes for ICO approval has been slow to take off and the ICO remains keen to talk to and advise organisations interested in developing further certification schemes in 2022. (See Legal update, ICO approves first certification scheme criteria ICO & Certification schemes and Data security.)
Age Assurance Bill and Children's Code developments. For information on the progress of the Age Assurance Bill (which would require that any age assurance system operated in relation to online or digital services used by UK consumers, or operated in the UK, would have to protect the privacy of users in accordance with data protection legislation) and developments with the Children's Code, see Rights of data subjects.
Cookies
Cookies have been crumbling in 2021 in the light of increasing concerns about cookie fatigue from pop-ups seeking consent to the use of cookies and individuals simply clicking "I agree" because they want to access a website without engaging with the privacy information and controls. Some blame impractical and strict e-privacy rules which lead to some online advertisers taking short cuts, and others blame a lack of enforcement. Elizabeth Denham recently called on the G7 data protection authorities believing that they could help tackle the problem by playing a major role in encouraging technology firms and standards organisations to develop and roll out privacy-oriented solutions globally; there is likely to be a further meeting in 2022 when this might be discussed (see Legal update, Information Commissioner calls on G7 data protection authorities to tackle cookie pop-ups). Requirements in relation to cookies (and similar technologies) should be kept under review, as there may be changes ahead in 2022, including:
Proposals in the DCMS consultation, "Data: A new direction". The government's proposals include relaxing cookie consent requirements, with one option being to remove the need for consent for analytics cookies (they would be treated in the same way as "strictly necessary" cookies). Another proposal would see organisations permitted to place cookies without consent for other limited purposes, effectively creating a list of exempt cookies. Neither option would remove the requirement for organisations to provide clear and comprehensive information. Third-party or privacy-intrusive cookies would remain subject to a consent and information requirement. The Taskforce on Innovation, Growth and Regulatory Reform has suggested that data fiduciaries or other trusted third parties could play a role in managing individual's consent without the use of cookie pop-up notices (see Articles, DCMS data protection reforms: summary of consultation proposals: Use of cookies and other similar technologies and Data protection reform: setting the course for a new direction: Cookies). Following analysis of responses to the consultation, the DCMS will publish the outcome, including next steps, in due course (no announcement on timing has yet been made).
Automated decision-making and profiling. The DCMS consultation "Data: A new direction" has no proposed legislative amendments in relation to Article 22 of the UK GDPR (automated decision-making and profiling). But it does seek views on repealing restrictions on profiling and automated decision-making, including the right to human intervention, and reducing the restrictions on collateral use of personal data. Any changes in relation to profiling may impact on the use of personal data collected by cookies (see Article, DCMS data protection reforms: summary of consultation proposals: AI and machine learning: Automated decision-making and data rights and Rights of data subjects.)
ICO investigation into real-time bidding (RTB) and the advertising technology industry (adtech). Since the ICO's 2019 report on its investigation into RTB and the adtech industry, the industry has developed a number of initiatives that seek to address the risks adtech poses and has seen a shift towards less intrusive tracking and profiling practices (see Legal update, ICO posts progress report on its engagement with adtech organisations). One of the most significant developments is Google's proposed "Google Privacy Sandbox" (GPS) which intends to replace third party cookies (TPCs) and other forms of cross-tracking with alternative technologies for enabling targeted advertising (and the measurement of advertising). In her recent Opinion on data protection and privacy expectations for online advertising proposals, Elizabeth Denham invited further input to:
assist in understanding these developments from a data protection perspective;
help market participants developing technical solutions to better understand how to build data protection by design and default into their services; and
help those participants understand the broader data protection impacts of their proposals.
Case law. The effects of the Supreme Court's high profile decision in Richard Lloyd v Google LLC [2021] UKSC 50(see Legal update, Mr Lloyd's representative class action in connection with Google's "Safari Workaround" rejected (Supreme Court) (Full update)) will continue to be seen in 2022. The Supreme Court ruling has significantly reduced the ability for representative class actions to be brought on an opt-out basis for breach of data protection legislation alone. While many controllers breathed a collective sigh of relief at the outcome, interestingly, the ICO supported Mr Lloyd's argument that the word "damage" in section 13(1) includes "loss of control" over personal data, which indicates there is some support for the argument. This is possibly because the current remedies for the mass harm that can be (and is) wrought by misuse of digital technologies are perceived, by some, as inadequate. A number of other representative class actions for alleged breaches of the UK GDPR have been on hold pending the outcome of Lloyd v Google, but it remains to be seen whether there is still the appetite to pursue these claims (see "Claims for compensation" under Other developments below).
Draft e-Privacy Regulation (COM(2017) 10 final) (draft ePR). At EU level the draft ePR aims to define clearer rules on cookies and tracking technologies and give more control to web users. Once finalised, the ePR will not become applicable in the UK, however, it will still be important to follow its progress as the UK may need to align with its requirements due to its territorial reach. Practitioners will need to be aware of any divergences between the final outcome of the UK government's consultation "Data: A new direction" and the ePR once formally adopted. (See Digital Single Market Strategy: Regulation on Privacy and Electronic Communications (ePrivacy Regulation): legislation tracker.)
European Data Protection Board (EDPB) cookie banner taskforce set up to respond to noyb complaints about tracking cookies. Again, at EU level, the EDPB has set up a taskforce (see EDPB: EDPB establishes cookie banner taskforce (September 2021)) to co-ordinate the response to complaints that noyb (a not-for-profit organisation co-founded by the well-known privacy advocate Max Schrems) has filed with various European supervisory authorities alleging that some companies deliberately make it hard for individuals to opt-out of tracking cookies. noyb's first test phase is complete and it aims to scan, review, warn and enforce the law on up to 10,000 websites, so that users have a real choice in the future (see Legal update, EDPB adopts opinion on South Korea adequacy and establishes cookie banner taskforce (55th Plenary Session)). Max Schrems is showing no signing of lying low in 2022!
Cybersecurity will no doubt continue to be a focus for the UK and the EU and data breaches will also continue to be a focus for organisations and the ICO. In addition, we may see further guidance from the ICO and an uptake of certification schemes.
Certification schemes. In 2021 the ICO approved the first certification scheme criteria, one of which is a standard that ensures that personal data has been handled appropriately when IT equipment is re-used or destroyed. We may see take up of this standard, along with further schemes being approved in 2022. (See Legal update, ICO approves first certification scheme criteria.) The DCMS consultation ("Data: A new direction") also sought views on allowing certifications to be based on different approaches to accountability including privacy management programmes, the extent to which accreditation for non-UK bodies will provide advantages to UK based organisations and any other changes which could improve certification as an international transfer tool, so we may see changes to the overall approach. (See Article, DCMS data protection reforms: summary of consultation proposals: Certification schemes (section 3.4) and Compliance).
Unfortunately, COVID-19 continues to dominate the news headlines and news from the ICO continues in a similar vein. In December 2021, the ICO published a policy paper reflecting on some of the key themes and emerging issues in information rights regulation that it has engaged with since the outbreak of COVID-19. The conclusions reassuringly include that the principles-based approach of the UK data protection regime has provided the flexibility to allow for the collection, sharing and use of personal data in the delivery of vital services, which has allowed the ICO to apply a pragmatic risk-based approach to regulation during the pandemic, without the need to change any laws (see Legal update, COVID-19: Information Commissioner shares lessons learnt during COVID-19 pandemic and Practical Law's Data Privacy & Security Global Coronavirus Toolkit). Other areas to watch out for in 2022 include:
DCMS consultation, "Data: A new direction". The government seeks to encourage innovation in the way in which data can be shared in order to drive growth. In particular, the consultation sought views on the use of data intermediaries in the public, private or third sectors, to help with data stewardship (managing data collection, sharing, access and use in a responsible and efficient manner). The DCMS drew on the Centre for Data Ethics and Innovation's (CDEI) report for examples as to what intermediaries can offer (see Legal update, CDEI publishes report "Unlocking the value of data: Exploring the role of data intermediaries). The outcome of the DCMS consultation will be published in due course (no announcement on timing has yet been made).
ICO Regulatory Sandbox. In 2021, the ICO updated its Data sharing information hub and its data sharing code of practice came into force. The Regulatory Sandbox is a service developed by the ICO to support organisations that are creating products and services which utilise personal data in innovative and safe ways. As part of its ongoing work, the ICO is accepting applications from organisations that are developing products and services that support complex data sharing in the public interest, for example, privacy-enhancing technologies and distributed ledger technologies.
EU Digital Markets Act. The European Commission's Digital Markets Act (DMA) is likely to complete the legislative process during 2022. It specifically targets big tech companies (referred to as "gatekeepers"). The DMA will implement ex ante regulation of digital gatekeepers and a new power for the Commission to conduct market investigations. A gatekeeper would be required to implement certain behaviour (such as ensuring a higher degree of data portability, interoperability, and access to data for platform's business and end-users) and refrain from engaging in unfair behaviour (for example, using personal data collected from businesses hosted by the gatekeeper when competing against them and restricting access to services). The Commission would have the power to impose fines for non-compliance of up to 10% of the company's total worldwide annual turnover and periodic penalty payments of up to 5% of the company's total worldwide annual turnover. (See Legal update, Digital Markets Act: Commission publishes proposals for ex ante regulation and market investigations to ensure contestable and fair markets in the digital sector and Legislation tracker, Digital Markets Act.)
EU Data Governance Act (DGA). The DGA aims to boost data sharing across sectors and EU member states. It was published in response to the European Commission's consultation on its European Data Strategy (see Legal update, European Commission publishes White Paper on AI and communications on shaping a digital future and European data strategy). Now that informal trialogue negotiations have concluded, the European co-legislators will have to formally adopt the DGA at first reading, after which it will be published in the Official Journal of the EU (OJ) and enter into force on the 20th day following that of its publication in the OJ. The new rules will apply 15 months after the entry into force of the DGA. The DGA will not apply in the UK following Brexit and the UK government would need to introduce domestic legislation if it wants to align with the provisions (see Legal update, Political agreement reached on European Data Governance Act).
Referral to the ECJ for a preliminary ruling on processing of passenger data. The ECJ's ruling is awaited on questions referred from the Cour constitutionnelle (Belgium) in October 2019 about the processing of passenger data for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (Lique des droits humains Case C-817/19). Advocate General Pitruzzella is expected to deliver his opinion on 27 January 2022.
Direct marketing
It is no secret that the ICO takes compliance with the e-marketing rules in PECR and the lawful collection and use of personal data under the UK GDPR for direct marketing purposes very seriously; frequently it is at the top of its list for fines or enforcement action (see ICO civil penalties: tracker). The ICO will continue to flex its muscles in this area and push to increase its enforcement powers and the maximum amount of the fines that it can impose under PECR. Specific things to be aware of in 2022 include:
ICO draft direct marketing code of practice. The ICO's consultation on its draft direct marketing code of practice, together with additional practical tools, such as checklists, closed on 4 March 2020 (see Legal update, ICO launches consultation on draft direct marketing code). A spokesperson at the ICO has confirmed to Practical Law that they cannot yet provide an indication as to when the code will be finalised and laid before Parliament, before coming into force. Once in force, as a statutory code of practice, it will provide the ICO with more enforcement power than the direct marketing guidelines made under the Data Protection Act 1998 (DPA 1998). Bearing in mind the government's proposals in relation to direct marketing, it is not beyond the realms of possibility that the ICO may be awaiting the outcome of the DCMS consultation, "Data: A new direction" (no announcement on timing has yet been made) before finalising the code.
DCMS consultation, "Data: A new direction". The UK government has persistently made clear that it will set its own compass in relation to the UK data protection regime and as such, it will be worth keeping a watch on any conflicting requirements between the UK government's proposals in relation to direct marketing and the EU's in its draft e-Privacy Regulation (COM(2017) 10 final) (draft ePR). The DCMS consultation includes the following proposals:
increasing the maximum fine that the ICO can levy for non-compliance with PECR from £500,000 to £17.5 million or 4% of global annual turnover (the same level that the ICO can levy for failing to comply with the UK GDPR and DPA 2018). The ICO is calling for the government to go further and align the whole of the PECR enforcement toolkit with the UK GDPR and DPA 2018, which would include security audits;
extending "the soft opt-in" for electronic communications for direct marketing to cover non-commercial organisations, such as political parties and charities, where they have previously formed a relationship with the person (for example, as a result of membership or a subscription). The ICO is calling for the existing safeguards to apply if there is any extension and for clarification as to whether it applies to fundraising and, if so, whether further safeguards should be put in place, bearing in mind the previously huge volumes of fundraising material that caused distress and significant harm to vulnerable individuals;
relaxing the rules in relation to democratic engagement, in particular whether communications from political parties which promote aims and ideals should continue to be treated as direct marketing for the purposes of PECR and whether the lawful grounds for processing personal data permit political parties and elected representatives to process personal data for the purpose of democratic engagement to the extent that is necessary in a healthy democracy. The ICO states that ensuring a healthy democracy is important, but any relaxation would need careful consideration; and
enhancing the ICO's enforcement powers and possibly introducing new legislative measures to combat nuisance calls, text messages and emails. The ICO welcomes the range of additional options proposed and in addition recommends that the government considers extending the UK's existing PECR legislation to operate on an extra-territorial basis, like the UK GDPR, as this would help the ICO to reach beyond the UK's borders to pursue instigators of calls from abroad that target UK citizens.
Digital Regulation Cooperation Forum (DRCF) 2021/2022 workplan. The DRCF comprises the CMA, Ofcom, the ICO and the Financial Conduct Authority. It was set up to support regulatory co-ordination in digital markets, and co-operation on areas of mutual importance. In 2022, it will continue the work set out in its 2021/2022 workplan (see Legal update, DRCF publishes workplan for 2021/22). This includes:
further work needed to understand interactions between data protection and competition regulation (such as an ongoing investigation into Google's privacy sandbox browser changes);
ensuring design frameworks meet standards set out in the UK GDPR;
algorithmic processing;
digital advertising technologies;
the ICO's Age Appropriate Design Code and the regulation of video-sharing platforms (VSPs) and online safety; and
interactions in the wider digital regulation landscape.
Draft e-Privacy Regulation (COM(2017) 10 final) (draft ePR). At EU level, the draft ePR aims to establish tighter and clearer rules on electronic direct marketing (such as email, text, fax and live and automated calls). The legislation will not become directly applicable in the UK but, in view of its proposed territorial reach, it will still be important to follow its progress and be aware of any divergences between the final outcome of the UK government's consultation "Data: A new direction" and the ePR once formally adopted. (See Digital Single Market Strategy: Regulation on Privacy and Electronic Communications (ePrivacy Regulation): legislation tracker.)
Artificial intelligence and machine learning are increasingly impacting on the ways decisions are made about workers, monitoring technologies are more varied and widespread in use, and the COVID-19 pandemic has accelerated the trend for working remotely and obtaining health data. All of these are themes we are likely to see reflected in 2022, for example in guidance and regulatory activity. In addition, regulatory guidance and activity more generally will have an impact on how employees' data is processed and some of this is covered in other sections of this article, for example the ICO's AI and Data Protection Risk Toolkit (see Technology) and the ICO's IDTA and guidance on international transfers (see Exporting personal data).
Other areas to watch out for in 2022 include:
Employment practices guidance. We expect to see new guidance from the ICO on employment practices following a call for views. This is long awaited and should replace the employment practices code and supplementary guidance under the DPA 1998. The ICO aims to reflect how working life has changed over the last few years. The guidance will cover topics including recruitment and selection, employment records, monitoring of workers and information about workers' health, and will be an evolving resource. (See Practice note, UK GDPR and Data Protection Act 2018: employer obligations.) In the meantime, the CDEI and REC have published guidance on data driven tools in the recruitment sector (see Legal update, CDEI and REC produce guidance on data-driven tools for recruitment sector).
Immigration exemption. On 31 January 2022, the immigration exemption in paragraph 4 of Part 1 of Schedule 2 to the DPA 2018 will become unlawful unless the government requests an extension to the suspension of unlawfulness or makes legislative changes. The government laid draft amending Regulations before Parliament on 10 December 2021 and we should therefore see the legislation amended in order to comply with Article 23 of the UK GDPR. (See Practice note, UK GDPR and DPA 2018: exemptions: Immigration: paragraph 4, Schedule 2 and General.)
In 2021 data protection practitioners witnessed a smooth (albeit last minute) transition to protect the uninterrupted flow of personal data from the EEA to the UK as the temporary bridging mechanism ended and the European Commission adopted an adequacy decision in respect of the UK under the EU GDPR. The Commission also adopted its long awaited standard contractual clauses (EU SCCs) under the EU GDPR for personal data transfers from the EEA to third countries and EU SCCs as required by Article 28 between controllers and processors for processing within the EEA. In the UK, the DCMS and the ICO both launched consultations under the UK GDPR in respect of international data transfers from the UK to third countries, the outcome of which will be greatly anticipated in 2022. However, there are concerns that if the UK's data protection regime deviates too much from the EU's, it might trigger an earlier review of the UK's adequacy decision than the sunset date of 27 June 2025. Specific developments to keep a close watch on in 2022 include:
UK government proposals on the future of the UK data protection regime. The DCMS' package of global data protection plans aims to boost growth, increase trade and improve healthcare and public services (see Legal update, UK launches post-Brexit global data plans). The package includes:
new multi-billion pound global "data adequacy" partnerships, initially with six priority territories; the USA, Australia, the Republic of Korea, Singapore, the Dubai International Finance Centre and Colombia. The government is also looking at potential future data sharing partnerships with other fast-growing economies such as Kenya, India, Brazil and Indonesia (section 17A, DPA 2018 and Article 45, UK GDPR);
a new International Data Transfers Expert Council to support the UK in championing the international flow of personal data; and
ICO consultation on personal data international transfers. The ICO is working on bespoke UK SCCs (which it is referring to as international data transfer agreements (IDTAs)) under the UK GDPR (section 119A, DPA 2018 and Article 46(3)(a), UK GDPR) (see Article, ICO consultation on international data transfers: what to do now). The ICO is aiming to provide an update towards the end of January on the following:
a draft model IDTA and guidance for the UK;
the adoption of model IDTAs issued in other jurisdictions, such as EU SCCs issued under the EU GDPR. The consultation includes a draft UK addendum to the EU SCCs;
updated ICO guidance on international transfers and international transfer risk assessments.
Approved codes of conduct (Article 46(2)(e), UK GDPR). No approved codes of conduct for restricted transfers are yet in use, but the ICO is actively working with various sector bodies and associations. The ICO will publish further information once codes of conduct are approved. The ICO welcomes enquiries from organisations who are considering writing, monitoring or signing up to a code of conduct (see ICO website: Codes of conduct).
Approved certification mechanisms (Article 46(2)(f), UK GDPR). No approved certification schemes are yet in use as an appropriate safeguard for international transfers. The ICO will provide separate guidelines in relation to the use of certification schemes as a mechanism to facilitate international transfers in due course.
Enhanced EU-US Privacy Shield. Following the ECJ's invalidity ruling in Schrems II, representatives from the US Department of Commerce and the European Commission are intensifying their discussions for an enhanced Privacy Shield framework to comply with the ruling, recognising the vital importance of data protection and the significance of cross-border data transfers to citizens and economies on both sides of the Atlantic. In the meantime, EU organisations transferring personal data to the US will need to rely on alternative data transfers mechanisms such as EU SCCs.
EDPB consultation on Guidelines 05/2021 on the interplay between the application of Article 3 and the provisions on international transfers in Chapter V of the GDPR. The guidelines aim to provide clarity on the interplay between the territorial scope of the EU GDPR (Article 3) and the provisions on international transfers (Chapter V) as well as a common understanding of the concept of international transfers. The public consultation ends on 31 January 2021. Data protection practitioners should keep watch for any differences in EU and UK guidance. (See Legal update, EDPB publishes guidance on interplay between GDPR territorial applicability and international transfers (57th Plenary).)
New Information Commissioner's inbox. John Edwards will begin tackling a challenging inbox from 3 January 2022 as the UK's new Information Commissioner (see Legal update, Arrangements for new Information Commissioner announced). Mr Edwards' approach to the post and his personal style will become clearer as he makes his mark on the UK regime, bringing a wealth of data regulatory experience as New Zealand's former Privacy Commissioner and 20 years of experience practising law and specialising in information law. Key issues in 2022 and beyond for the new Information Commissioner will include:
keeping the accountability framework in sync with data driven innovation (see Technology).
Role of personal data in countering COVID-19 and developing UK's life sciences sector. Public engagement and support are integral to data driven counter measures to COVID-19. The ICO continues to support and guide developers and organisations with the end-to-end process of delivering innovative technical solutions for use in the front line, to help ensure that a high level of public trust in the fair use of their data is maintained. NHS test and trace apps have proved one such success and the ICO's pragmatic regulatory approach will be called on repeatedly as new needs and purposes arise during the ongoing pandemic. Any use of COVID passports to free up international travel and the UK leisure industry will pose a challenge on several levels in 2022, besides respect for data privacy. For more information on the role played by the ICO in the pandemic, see Legal updates, COVID-19: Information Commissioner shares lessons learnt during pandemic and COVID-19: ICO publishes consensual audit report on NHS Test and Trace. See also Data sharing.
The role of health data also figures prominently in the government's ambitions to make the UK a world leader to develop med-tech, new medicines and undertake innovative R&D (see Legal update, Government releases ten-year strategy for UK life sciences sector: Health data). Flows of health data relating to individuals to and from the UK and data sharing will come under the remit of the ICO, which will be charged with shaping any new data laws required to underpin public trust that this most sensitive of data will be processed securely and fairly.
ICO annual tracking research. The results of the ICO's 2021 survey about the public's awareness and perceptions of their information rights and their trust and confidence in organisations who use their personal data (see Legal update, ICO publishes 2021 annual tracking research), showed that levels of trust and confidence in how companies and organisations store and use personal information had remained broadly stable since 2020, and that around one in seven people are more likely to be comfortable with their personal information being shared in the public sector as a direct result of the COVID-19 pandemic. Will the 2022 survey demonstrate that a similarly high level of public trust is being sustained in contact tracing apps and the other increasingly technology-based solutions being deployed by the government and other public health focused organisations?
What next for the immigration exemption? The Court of Appeal ruled that the immigration exemption in the DPA 2018 will be declared unlawful, but that declaration will be suspended until 31 January 2022 to provide a reasonable time for the legislation to be amended. The effect of this announcement is that the government has until 31 January 2022 to pass legislation to amend the exemption in paragraph 4, failing which the exemption will be declared unlawful and become invalid from the end of January 2022. Regulations amending the exemption have now been laid before Parliament and are expected to come into force before the January deadline. Bearing in mind the high level of scrutiny the exemption has received from the judiciary, EU bodies and pressure groups up to and including the Court of Appeal's judgment, it will be interesting to see if the new checks and balances on the Home Secretary's use of the exemption attract fresh challenges. For more information on the path to rehabilitation for the exemption, see Legal updates, Declaration from Court of Appeal that immigration exemption is unlawful suspended until 31 January 2022 , Court of Appeal judgment on data protection immigration exemption published and Regulations amending DPA 2018 immigration exemption laid before Parliament.
CDEI work programme for 2022. The CDEI sees consistent and recurring challenges facing the government, industry and regulators that include developing and maintaining accountability when deploying data-driven technologies, a need to address the transparency and explainability of data-driven systems and the question of improving access to high quality data. Over the next year it plans to prioritise the themes of facilitating responsible data sharing across the economy, the responsible development, deployment and use of AI and data across the public sector and helping to lay the foundations for the development of a strong AI assurance ecosystem in the UK. (See Legal update, Centre for Data Ethics and Innovation publishes two-year review.)
Rights of data subjects
Although handling requests in relation to the rights of data subjects often tends to be business as usual (with complaints in relation to subject access requests continuing to top the ICO's complaints list by some margin), data subject rights are about more than just the exercise of individual legislative rights and the ICO is always keen to stress how its role supports people's rights, for example, in relation to public health innovation and COVID-19, facial recognition technology, political campaigning and scams and frauds targeted at the vulnerable. Children's data and rights look set to continue being a priority in 2022, both in the UK and the EU. We may also see changes to individual rights based on the DCMS proposals ("Data: A new direction").
Key areas to watch for in 2022 include:
Proposed legislative changes to subject access. The government is considering whether to introduce a fee structure (modelled on the Freedom of Information Act 2000) for access to personal data held by all controllers to help with the issues relating to controllers' capacity to respond to requests based on factors including time, cost and scope and the threshold for responding. Proposals include introducing a cost ceiling, re-introducing a nominal fee and amending the thresholds for response and for what constitutes "manifestly unfounded". (See Article, DCMS data protection reforms: summary of consultation proposals: Subject access requests (DSARs) (section 2.3).)
ICO guidance on subject access for law enforcement. The ICO has opened a consultation on draft detailed guidance that explains the rights of access individuals have under Part 3 of the DPA 2018 to personal data held about them for law enforcement purposes, and the obligations on competent authorities to comply with subject access requests. The consultation closes on 11 March 2022. See Legal update, ICO launches consultation on draft guidance for competent authorities on subject access rights.
Automated decision-making. In relation to automated decision-making, although the government has not proposed legislative changes, it sought views on clarifying the limits and scope of what constitutes "a decision based solely on automated processing" and "produc[ing] legal effects concerning [a person] or similarly significant effects" and any alternative suggestions to address the problem. It also sought views on whether Article 22 of the UK GDPR is sufficiently future-proofed, practical and proportionate, while retaining meaningful safeguards and on the Taskforce on Innovation, Growth and Regulatory Reform's recommendation that Article 22 should be removed, allowing solely automated decision-making where it meets a lawful ground and subject to compliance with the rest of the data protection legislation. (See Article, DCMS data protection reforms: summary of consultation proposals: Automated decision-making and data rights and Cookies.)
Age assurance and children's rights. The ICO issued a call for evidence on specific areas related to age assurance in the context of the Children's Code which closed on 9 December 2021 and may inform guidance. The ICO also plans to review the Children's Code in September 2022. (See Practice note, Children and the law: data protection aspects (UK).) In addition, in 2021 the ICO approved two certification scheme criteria relevant to children (one for age assurance and one looking at children's online privacy) and therefore we may see take up of these schemes (see Legal update, ICO approves first certification scheme criteria). Separately, the Age Assurance (Minimum Standards) Bill received its second reading in the House of Lords in November (see Legal update, Age Assurance (Minimum Standards) Bill receives second reading in House of Lords) although, as a Private Members' Bill, it remains to be seen how far this will progress.
Restrictions on data subject rights. At the EU level, the EDPB adopted a final version of its guidelines (10/20) on restrictions on data subject rights under Article 23 of the GDPR which may impact on the restrictions to data subject rights in place locally in EU member states. For an example of how a restriction has been found unlawful under the UK legislation, see Employee data and monitoring.
2022 may usher in significant changes to the ICO's enforcement regime (see Practice notes, UK GDPR and DPA 2018: enforcement, sanctions and remedies (UK) and Data Protection Act 2018: criminal enforcement)) if the government's proposed changes in the DCMS consultation come into being. We should also find out in 2022 whether the government decides to adopt the ICO's recommendation on regulatory reform of PECR when it publishes the outcome of the consultation. However, it remains to be seen how many of the proposed changes are adopted.
Of particular interest in 2022 will be the following.
Enhancing the ICO's investigatory powers. If the proposals in the DCMS consultation are accepted, the ICO would have new powers which include the option to compel witnesses to interview, commission independent technical reports and extend the timeframe for issuing penalty notices (see Article, DCMS data protection reforms: summary of consultation proposals: Enforcement powers (section 5.7)). This could result in a more effective enforcement regime from the ICO if these powers are amended in 2022.
The ICO's suggestion to extend PECR's territorial scope. In its response to the DCMS consultation (see paragraph 102, page 54, ICO: Response to DCMS consultation "Data: a new direction" (7 October 2021)), the ICO suggested that PECR should include extra-territorial scope requirements similar to the UK GDPR. This would enable the ICO to pursue organisations outside the UK which target UK citizens. Given that the ICO receives approximately 130,000 complaints per year regarding unsolicited communications, the ICO sees this as a useful enforcement measure. See also Direct marketing.
Other developments
ICO consultation on its regulatory approach. The ICO last updated its Regulatory Action Policy in June 2021 with a supporting blog in July (see Legal Update, COVID-19: ICO publishes further update to its regulatory approach during the pandemic) to help organisations to better understand the ICO enforcement approach during the pandemic and beyond. The ICO has launched a consultation on 20 December 2021 regarding its Regulatory Action Policy, statutory guidance on its Regulatory Action Policy and statutory guidance on its PECR powers. The consultation closes on 24 March 2022 (see Legal Update ICO consults on Regulatory action policy and statutory guidance). Further updates to the policy are likely as the new Commissioner sets the regulatory agenda, and to implement any changes necessary in response to the DCMS consultation.
Scrutiny of the ICO's regulatory approach. The ICO was criticised in 2021 for "chasing headlines" in relation to its regulatory priorities by The Daily Telegraph (see Legal Update, ICO publishes statement defending its work). A new Commissioner means that this level of scrutiny is likely to continue for at least the next 12 months.
Appeals. The ICO issued an enforcement notice against Experian Ltd in October 2020 (see Legal update, ICO imposes enforcement notice on Experian). Experian subsequently appealed that notice which is currently the subject of an appeal to the First-tier Tribunal (Information Rights) by Experian (see ICO Annual Report 2020-21, under section "Our Regulatory Action, Credit Reference Agencies"). A decision is likely in 2022.
The ICO has repeatedly stated that it does not wish to impede the responsible and data privacy friendly use of innovation. Striking a balance between protecting data subjects and allowing technology to be used for purposes that could benefit the public at large is a particular challenge for the ICO in the field of surveillance. Advances in technology have enhanced the identification capabilities of CCTV systems and liberated employees to work at home and shelter from the pandemic but not without risk to personal privacy if the underlying technology is misused. 2022 should provide some answers to a number of hot surveillance topics that have recently arisen:
ICO focus on use of LFR technology. The ICO's attention will remain firmly fixed on the risks to data protection rights from inappropriate use of live facial recognition technology (LFR) and a future where LFR is integrated with CCTV camera systems and combined with social media data to produce "supercharged CCTV", powered by big data. Organisations contemplating developing or using LFR for surveillance purposes should be aware from recently published blogs and Commissioner opinions on the use of LFR in public places (see Legal update, ICO publishes Commissioner's Opinion on use of LFR in public places for non-law enforcement purposes) just how seriously the Information Commissioner regards those risks. Organisations are on notice that a high bar has been set to justify the use of LFR and the pursuit of public protection objectives must be balanced fairly against the inherently privacy sensitive nature of LFR systems and any risk to the data privacy rights of individuals. Nothing less than high standards of governance, accountability and data protection by design, including being able to justify that the use of LFR is fair, necessary and proportionate in each specific context in which it is deployed, will be expected by the ICO.
Result of investigation into leak of DHSC CCTV footage. Scenes filmed via a DHSC CCTV system of the then Health Secretary gained widespread public attention and the privacy and data protection issues arising from their disclosure to the media are of great interest to the data professional community. The ICO launched an investigation into an alleged data breach relating to the images being removed from the system without consent, including whether any criminal offences had been committed. This is a high profile investigation and its outcome is eagerly awaited from many perspectives, including developments for privacy rights in the workplace. For more information about the investigation, see Legal update, ICO confirms investigation into Department of Health and Social Care CCTV footage.
Further data privacy complaints concerning video doorbells. The judgment in Fairhurst v Woodard (Case No G00MK161) (12 October 2021)generated extensive media attention on the use of doorbell cameras and domestic surveillance cameras being in breach of UK data protection laws. This was a County Court judgment and strictly sets no precedent, but the reasoning applied by the judge and the facts of the case could encourage other claimants to bring legal proceedings for alleged data protection breaches. Will the ringing in of the New Year herald a spate of similar video doorbell claims? For a report on this case, see Legal update, Use of security cameras and video doorbell breached data protection law (County Court) and Sanctions and remedies.
Data protection and technology continues to be a rapidly evolving area as regulators and legislators aim to keep up with emerging developments. While technologies such as AI and cloud continue to be of relevance, we are also seeing increasing activity and co-operation in the areas of digital trade and competition. Key players such as Apple and Google also continue to address privacy requirements (for example new privacy requirements for mobile apps).
Public sector. Working with the CDEI, the government has published a standard for ensuring the transparency of algorithms, for use by government departments and public sector organisations. The standard will be the subject of a pilot project and the government will then seek the Data Standards Authority's formal endorsement of it in 2022. (See Legal, Government pilots public sector algorithmic transparency standard.) We may also see guidance on and investigations into the use of cloud-based services by the public sector following the EDPB selecting this topic as its first co-ordinated action (see Legal update, EDPB launches first co-ordinated action on use of cloud-based services by the public sector).
EU strategy. At the EU level, the European Commission is proposing to update its 2012 European strategy for a better internet for children in the light of changes in children's use of digital technology, the acceleration of digital transformation caused by COVID-19 and the "Digital Decade" (see below). (See Legal update, European Commission roadmap on updating strategy for better internet for children.)
Digital trade and competition. The G7 countries agreed five digital trade principles in 2021, one of which is data free flow with trust which involves addressing concerns around data localisation requirements being used for protectionist and discriminatory purposes, looking at more commonality in regulatory approach and consensus on common principles for government access to personal data held by the private sector. Earlier in 2021, the UK government had published a similar five-point plan for digital trade and the Board of Trade has published a report identifying eight priorities for UK trade policy, one of which is to centre its digital trade policy around those five points. (See Legal updates, G7 countries agree digital trade principles, Government publishes five-point plan for digital trade and Board of Trade publishes report on digital trade.) We can therefore expect to see data protection regulation continue to play an important role in digital trade. In relation to competition, the CMA, as part of the UK's Presidency of the G7, has published an independent report providing a compendium of approaches to improving competition in digital markets and at the EU level, the European Commission's proposal for a regulation to ensure contestable and fair markets in the digital sector (Digital Markets Act) continues to progress (see Legal updates, CMA publishes compendium of approaches to improving competition in digital markets and Council agrees general approach on Digital Markets Act proposal.) See also Article, Trends in information technology law: looking ahead to 2022 and Data sharing.
EDPB guidance. The EDPB continues to have a watching brief on legal implications relating to technological issues, such as cloud, AI and machine learning, digital identity, data brokers, internet of things and payment methods We may also see specific guidelines on blockchain and on anonymisation and pseudonymisation. (See Legal update, EDPB publishes 2021/2022 work programme (46th Plenary).)
Transactions
Data transactions would naturally benefit from the government's and ICO's work to develop an advanced UK digital economy where public trust and confidence that their personal data is processed securely and responsibly are underpinned by high standards of data protection that do not impede the free flow of digital data. 2022 should see some significant steps towards establishing the foundations for digital and more traditional transactions involving personal data:
New SCCs for controller and processor transactions. It remains to be seen whether the ICO will produce a set of UK standard contractual clauses (SCCs) for controller processor transactions or adopt the SCCs produced by the EC in June 2021 (see Legal update, European Commission adopts final versions of standard contractual clauses under EU GDPR). Either option would likely be welcomed by SMEs in 2022 because a new set of SCCs approved for UK use would become the default standard for organisations or the benchmark against which other clauses will be measured and ease the burden of complying with the contracting requirements under Article 28(3) of the UK GDPR. See Exporting personal data.
Five-point plan for digital trade. A key element of the Department for International Trade (DIT) five-point plan to boost digital transactions and the UK economy concerning the free flow of data (see Legal update, Government publishes five-point plan for digital trade Department for International Trade) relies on the ICO's support to help ensure its success. The DIT's vision to remove unjustified barriers encountered by data as it transfers along international digital superhighways is shared by the ICO, provided that any personal data is safeguarded to the high standards of UK data protection laws. Exactly how those twin goals are to be achieved should become clearer in 2022. See Technology.
Part of the ICO's role will be to help develop rules and provide regulation that ensure "data flows with trust", and will sustain consumer trust that data relating to them will be protected by robust laws when it is processed by new data driven products and business models (see Legal update, ICO releases summary of discussions between G7 data protection authorities).
Business enabling data protection laws. In the ICO's response to the DCMS consultation on data protection reform ("Data: A new direction") (see Legal update, ICO response to DCMS consultation on future of UK data protection regime), it acknowledged the UK's new found freedom to adapt data protection laws to be a business enabler and develop reforms to help UK businesses employ risk-based, practical approaches to meeting their data protection obligations when transferring data from the UK. For information on the ICO's work programme for international transfers of data, see Exporting personal data.
Digital friendly EDPB work programme. The EU GDPR's role in boosting digital transactions is a key pillar of the EDPB work programme for 2021/2022 (see Legal update, EDPB publishes 2021/2022 work programme (46th Plenary)). Publications anticipated from the EDPB for 2022 include guidelines on blockchain, anonymisation and pseudonymisation, facial recognition in law enforcement and topics such as AI, cloud computing, internet of things and data brokers. Although EDPB guidelines are no longer directly relevant to the UK regime, and are not binding under the UK regime, the ICO has confirmed they may still provide helpful guidance on certain issues.
Keeping up to date with developments
Current awareness email alerts covering all the latest developments can be signed up for by clicking on the "Alerts" link at the top right-hand corner of any page on the Practical Law website and selecting "Create Alert".
Customisation features allow you to pick and choose any combination of legal updates from across different practice areas and topics. You can set up as many alerts as you need and have alerts for a particular topic, or an alert covering several topics. You can also set your preferred timing, frequency, and level of detail for alerts.
Key dates calendars offer an interactive view of important forthcoming events. You can find these at the right-hand side of practice area home pages. You can browse by month or search for what's coming up by date range.