Practical Law Data Protection: what to expect in 2022

Confirmation of changes to accountability framework. Reforms to the UK data protection regime outlined by the DCMS in September 2021 (see Legal update, DCMS announces plans to reform UK data protection regime and Article, DCMS data protection reforms: summary of consultation proposals) will be further refined in 2022, following publication of the results from its consultation in due course (no announcement on timing has yet been made). Changes under consideration include a redesign for the UK GDPR's accountability framework by introducing a risk-based accountability framework based on bespoke privacy management programmes tailored to an organisation's individual data processing operations, and removing obligations to appoint a data protection officer, conduct data privacy impact assessments and maintain processing records.

The consultation will confirm whether large corporates and small businesses welcome a reduction in their compliance workload or if instead it's a case of "meet the new boss, same as the old boss" with risk-based privacy management seen as being just as burdensome as existing accountability obligations. For more information and analysis concerning the DCMS package of proposals, see Legal update, ICO response to DCMS consultation on future of UK data protection regime: Chapter two – reducing burdens on business and delivering better outcomes for people, and Articles, DCMS data protection reforms: summary of consultation proposals and Data protection reform: setting the course for a new direction.

Pragmatic scrutiny of compliance. The Information Commissioner's Office's (ICO) ongoing efforts to maintain an effective regulatory approach to compliance that remains in sync with a rapidly evolving digital landscape without impeding innovation is a recurring theme throughout this article. It continues to demonstrate empathy with the challenges for organisations to remain in step with the accountability framework during a pandemic, which will remain the position in 2022. See "ICO consultation on its regulatory approach" under Other developments.

As life for many will likely continue to remain heavily reliant on social media and video conferencing while work and everyday life continues to be disrupted by the pandemic for the foreseeable future, the ICO's relationship with the tech giants and others who provide and operate these services will continue to occupy centre stage in 2022. The ICO has demonstrated its appetite to enforce the UK GDPR on a provisional basis against Clearview AI Inc with the full extent of any fine and enforcement action to be confirmed in 2022 after Clearview has made its representations (see Sanctions and remedies and Technology). The ICO will also continue to engage constructively with businesses ranging from global tech giants to SMEs to help ensure their processing activities remain compliant, by publishing guidance or evaluating projects at their sandbox stage to help ensure that a data privacy compliant course is steered and maintained from the outset and throughout the lifespan of a new product. See "ICO consultation on its regulatory approach" under Other developments and Data sharing.

New journalism code. A final version of a statutory code that will apply to the processing of personal data for the purposes of journalism should be laid before Parliament in 2022. The code will provide practical guidance to help media organisations, journalists and others engaged in data processing roles relating to the publication of journalistic material comply with data protection requirements. For further information about the code, see Legal update, ICO consults on draft journalism code and draft economic impact assessment.

Certification schemes. Certification under the UK GDPR (Article 42) is a way for an organisation to demonstrate it is complying with its data protection obligations and show accountability. The development of certification schemes for ICO approval has been slow to take off and the ICO remains keen to talk to and advise organisations interested in developing further certification schemes in 2022. (See Legal update, ICO approves first certification scheme criteria ICO & Certification schemes and Data security.)

Age Assurance Bill and Children's Code developments. For information on the progress of the Age Assurance Bill (which would require that any age assurance system operated in relation to online or digital services used by UK consumers, or operated in the UK, would have to protect the privacy of users in accordance with data protection legislation) and developments with the Children's Code, see Rights of data subjects.

Proposals in the DCMS consultation, "Data: A new direction". The government's proposals include relaxing cookie consent requirements, with one option being to remove the need for consent for analytics cookies (they would be treated in the same way as "strictly necessary" cookies). Another proposal would see organisations permitted to place cookies without consent for other limited purposes, effectively creating a list of exempt cookies. Neither option would remove the requirement for organisations to provide clear and comprehensive information. Third-party or privacy-intrusive cookies would remain subject to a consent and information requirement. The Taskforce on Innovation, Growth and Regulatory Reform has suggested that data fiduciaries or other trusted third parties could play a role in managing individual's consent without the use of cookie pop-up notices (see Articles, DCMS data protection reforms: summary of consultation proposals: Use of cookies and other similar technologies and Data protection reform: setting the course for a new direction: Cookies). Following analysis of responses to the consultation, the DCMS will publish the outcome, including next steps, in due course (no announcement on timing has yet been made).

Automated decision-making and profiling. The DCMS consultation "Data: A new direction" has no proposed legislative amendments in relation to Article 22 of the UK GDPR (automated decision-making and profiling). But it does seek views on repealing restrictions on profiling and automated decision-making, including the right to human intervention, and reducing the restrictions on collateral use of personal data. Any changes in relation to profiling may impact on the use of personal data collected by cookies (see Article, DCMS data protection reforms: summary of consultation proposals: AI and machine learning: Automated decision-making and data rights and Rights of data subjects.)

ICO investigation into real-time bidding (RTB) and the advertising technology industry (adtech). Since the ICO's 2019 report on its investigation into RTB and the adtech industry, the industry has developed a number of initiatives that seek to address the risks adtech poses and has seen a shift towards less intrusive tracking and profiling practices (see Legal update, ICO posts progress report on its engagement with adtech organisations). One of the most significant developments is Google's proposed "Google Privacy Sandbox" (GPS) which intends to replace third party cookies (TPCs) and other forms of cross-tracking with alternative technologies for enabling targeted advertising (and the measurement of advertising). In her recent Opinion on data protection and privacy expectations for online advertising proposals, Elizabeth Denham invited further input to:

(See Legal update, Information Commissioner publishes opinion on online advertising and privacy. See also Article, The adtech challenge: thriving in an e-commerce world and "Adtech" under Other developments.)

Google's proposals to remove third party cookies (TPCs). In a related investigation to RTB and adtech, the ICO will continue to work with the Competition and Markets Authority (CMA) in considering Google's Privacy Sandbox proposals to phase out support for TPCs on Chrome (see Legal update, CMA consults on modified commitments offered by Google in abuse of dominance investigation arising from Google's "Privacy Sandbox" browser changes). Google's status in the digital economy means that any proposal it puts forward has a significant impact. While Google is confident that privacy-preserving and open-standard mechanisms like the Privacy Sandbox can support a healthy ad-supported web, marketers, publishers and advertisers will need to adapt their processes. The CMA is also investigating Facebook. (See Practice note, Digital marketing: an overview: CMA investigation into Google's "Privacy Sandbox" tools, CMA investigation into Facebook's use of advertisers' data and Article, Practical Law UK Competition: what to expect in 2022.)

Case law. The effects of the Supreme Court's high profile decision in Richard Lloyd v Google LLC [2021] UKSC 50 (see Legal update, Mr Lloyd's representative class action in connection with Google's "Safari Workaround" rejected (Supreme Court) (Full update)) will continue to be seen in 2022. The Supreme Court ruling has significantly reduced the ability for representative class actions to be brought on an opt-out basis for breach of data protection legislation alone. While many controllers breathed a collective sigh of relief at the outcome, interestingly, the ICO supported Mr Lloyd's argument that the word "damage" in section 13(1) includes "loss of control" over personal data, which indicates there is some support for the argument. This is possibly because the current remedies for the mass harm that can be (and is) wrought by misuse of digital technologies are perceived, by some, as inadequate. A number of other representative class actions for alleged breaches of the UK GDPR have been on hold pending the outcome of Lloyd v Google, but it remains to be seen whether there is still the appetite to pursue these claims (see "Claims for compensation" under Other developments below).

Enforcement. The ICO has launched a consultation on its draft Regulatory Action Policy, draft statutory guidance on its regulatory action; and draft statutory guidance on its Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) (PECR) powers. The consultation closes on 24 March 2022 (see Legal update, ICO consults on Regulatory action policy and stautory guidance). The ICO notes that it will continue to update its policies when it is both necessary and appropriate, particularly in the light of the DCMS consultation "Data: A new direction" which proposes increasing fines for failing to comply with PECR from £500,000 to £17.5 million or 4% of global annual turnover, to align with those in the UK GDPR and DPA 2018 (see Article, DCMS data protection reforms: summary of consultation proposals: Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (PECR) and DCMS consultation ("Data: A new direction")).

Draft e-Privacy Regulation (COM(2017) 10 final) (draft ePR). At EU level the draft ePR aims to define clearer rules on cookies and tracking technologies and give more control to web users. Once finalised, the ePR will not become applicable in the UK, however, it will still be important to follow its progress as the UK may need to align with its requirements due to its territorial reach. Practitioners will need to be aware of any divergences between the final outcome of the UK government's consultation "Data: A new direction" and the ePR once formally adopted. (See Digital Single Market Strategy: Regulation on Privacy and Electronic Communications (ePrivacy Regulation): legislation tracker.)

European Commission investigation into possible anti-competitive conduct by Google in the online adtech supply chain. The Commission will continue as a priority its investigation into whether Google has infringed Articles 101 and 102 of the Treaty on the Functioning of the European Union by favouring its own online display adtech services, to the detriment of competing providers of adtech services, advertisers and online publishers (the investigation includes Google's plans to prohibit the placement of TPCs on Chrome). Similar issues seem to arise in the Commission's investigation into Facebook (see Legal updates, Commission opens formal investigation into possible anti-competitive conduct by Google in online advertising technology sector and Commission opens formal investigation into possible anti-competitive conduct of Facebook).

European Data Protection Board (EDPB) cookie banner taskforce set up to respond to noyb complaints about tracking cookies. Again, at EU level, the EDPB has set up a taskforce (see EDPB: EDPB establishes cookie banner taskforce (September 2021)) to co-ordinate the response to complaints that noyb (a not-for-profit organisation co-founded by the well-known privacy advocate Max Schrems) has filed with various European supervisory authorities alleging that some companies deliberately make it hard for individuals to opt-out of tracking cookies. noyb's first test phase is complete and it aims to scan, review, warn and enforce the law on up to 10,000 websites, so that users have a real choice in the future (see Legal update, EDPB adopts opinion on South Korea adequacy and establishes cookie banner taskforce (55th Plenary Session)). Max Schrems is showing no signing of lying low in 2022!

Internet Advertising Bureau Europe's (IAB) Transparency and Consent Framework. The Belgian Data Protection Authority's decision as to whether IAB Europe's Transparency and Consent Framework is in breach of the EU GDPR is awaited (see IAB: Press Release: Update On The Belgian Data Protection Authority's Investigation Of IAB Europe (5 November 2021)). (See also Practice note, Digital marketing: an overview: IAB Europe Transparency & Consent Framework.) For general information on digital marketing, see Article, Practical Law Commercial: what to expect in 2022: Advertising and marketing and Consumer and e-commerce.

Data breaches. Data security and breaches seem likely to continue as a key area of activity for the ICO. Data emailed to the wrong recipient continues to be the most common incident type reported according to the ICO's data breach statistics. The largest percentage increase in incidents reported per quarter between Q1 2019/20 and Q2 2021/22 were in hardware/software misconfiguration (700%) and ransomware (564%), so we may see further focus on these. Perhaps unsurprisingly in a pandemic, the health sector reported the largest number of breaches. We should also see the outcome of investigations such as the ICO's investigation into the Department of Health and Social Care (DHSC) CCTV footage breach (see Legal update, ICO confirms investigation into Department of Health and Social Care CCTV footage and Sanctions and remedies). The ICO will also no doubt continue to have a focus on data security and security breaches at both the national and international level (see, for example, Legal update, ICO publishes joint statement and observations on global privacy expectations of video teleconferencing companies). The Network and Information Systems (EU Exit) (Amendment) Regulations 2021 (SI 2021/1461) (Exit Regulations) come into force on 12 January 2022 and amend the incident reporting thresholds for relevant digital service providers under the Network and Information Systems Regulations 2018 (SI 2018/506) (see Legal update, Network and Information Systems (EU Exit) (Amendment) Regulations 2021 made: Brexit SI) and the EDPB should publish the final version of its guidelines on data breach notification in 2022 (see Legal update, EDPB adopts guidelines on examples regarding data breach notification).

Certification schemes. In 2021 the ICO approved the first certification scheme criteria, one of which is a standard that ensures that personal data has been handled appropriately when IT equipment is re-used or destroyed. We may see take up of this standard, along with further schemes being approved in 2022. (See Legal update, ICO approves first certification scheme criteria.) The DCMS consultation ("Data: A new direction") also sought views on allowing certifications to be based on different approaches to accountability including privacy management programmes, the extent to which accreditation for non-UK bodies will provide advantages to UK based organisations and any other changes which could improve certification as an international transfer tool, so we may see changes to the overall approach. (See Article, DCMS data protection reforms: summary of consultation proposals: Certification schemes (section 3.4) and Compliance).

Guidance. The ICO has published a preliminary paper on end-to-end encryption and is expected to publish the outcomes of its work including online safety in early 2022, see Legal update, ICO publishes paper on end-to-end encryption.

Cybersecurity. The government continues to conduct its annual cybersecurity breaches survey (see Legal update, Government launches Cyber Security Breaches Survey 2022). In relation to digital supply chains and third-party IT services, we may see government proposals (including certification or assurance marks and minimum requirements in public procurement), following the DCMS call for views on measures to enhance security of digital supply chains and third-party IT services, which found several key barriers to effective supply chain cybersecurity risk management. As part of the National Cyber Strategy, the government will continue to work with industry experts to develop a set of policy solutions aimed at increasing the cybersecurity resilience of digital solutions. (See Legal updates, Government responds to call for views on measures to enhance security of digital supply chains and third-party IT services and Government publishes new National Cyber Strategy.) The government has also published the Product Security and Telecommunications Infrastructure Bill (Part 1), which creates a new regulatory scheme to make consumer connectable products more secure against cyber attacks. (See Legal update, Product Security and Telecommunications Infrastructure Bill published (Part 1).)

At the EU level, the European Commission has proposed a Delegated Regulation under the Radio Equipment Directive (2014/53/EU) to place obligations on manufacturers to improve the cybersecurity of certain types of wireless devices that use radio technology and this will include a requirement for manufacturers to incorporate features to guarantee privacy and the protection of personal data, although it is not expected to come into force until 2024. The Cyber Resilience Act is scheduled for the third quarter of 2022, and the Commission would like swift action on the Proposal for a Directive on measures for a high common level of cybersecurity, repealing Directive (EU) 2016/1148. (See Practice note, EU cybersecurity framework: Cybersecurity Directive: proposed reform, and Legal updates, European Commission draft Regulation on cybersecurity of internet-enabled products, European Commission 2022 Work Programme: IP and IT aspects and European Commission draft Regulation on cybersecurity of internet-enabled products.)

See also Article, Practical Law IP&IT: what to expect in 2022: Cybersecurity and Regulating IoT devices.

DCMS consultation, "Data: A new direction". The government seeks to encourage innovation in the way in which data can be shared in order to drive growth. In particular, the consultation sought views on the use of data intermediaries in the public, private or third sectors, to help with data stewardship (managing data collection, sharing, access and use in a responsible and efficient manner). The DCMS drew on the Centre for Data Ethics and Innovation's (CDEI) report for examples as to what intermediaries can offer (see Legal update, CDEI publishes report "Unlocking the value of data: Exploring the role of data intermediaries). The outcome of the DCMS consultation will be published in due course (no announcement on timing has yet been made).

UK National Data Strategy (NDS). The DCMS' NDS is a central part of the government's ambition for a thriving, fast-growing digital sector in the UK and the country's recovery from COVID-19. It aims to empower government and the economy through use of data (including personal data) and ensure public trust in its use. The DCMS will report back on its Mission 1 Policy Framework and the outcome of its consultation on NDS indicator suites in 2022 (see Legal updates, National Data Strategy: DCMS publishes monitoring and evaluation framework, calls for evidence on NDS indictor suites and updates on NDS Forum and DCMS publishes National Data Strategy Mission 1 Policy Framework: Unlocking the value of data across the economy).

ICO Regulatory Sandbox. In 2021, the ICO updated its Data sharing information hub and its data sharing code of practice came into force. The Regulatory Sandbox is a service developed by the ICO to support organisations that are creating products and services which utilise personal data in innovative and safe ways. As part of its ongoing work, the ICO is accepting applications from organisations that are developing products and services that support complex data sharing in the public interest, for example, privacy-enhancing technologies and distributed ledger technologies.

EU Digital Markets Act. The European Commission's Digital Markets Act (DMA) is likely to complete the legislative process during 2022. It specifically targets big tech companies (referred to as "gatekeepers"). The DMA will implement ex ante regulation of digital gatekeepers and a new power for the Commission to conduct market investigations. A gatekeeper would be required to implement certain behaviour (such as ensuring a higher degree of data portability, interoperability, and access to data for platform's business and end-users) and refrain from engaging in unfair behaviour (for example, using personal data collected from businesses hosted by the gatekeeper when competing against them and restricting access to services). The Commission would have the power to impose fines for non-compliance of up to 10% of the company's total worldwide annual turnover and periodic penalty payments of up to 5% of the company's total worldwide annual turnover. (See Legal update, Digital Markets Act: Commission publishes proposals for ex ante regulation and market investigations to ensure contestable and fair markets in the digital sector and Legislation tracker, Digital Markets Act.)

EU Data Governance Act (DGA). The DGA aims to boost data sharing across sectors and EU member states. It was published in response to the European Commission's consultation on its European Data Strategy (see Legal update, European Commission publishes White Paper on AI and communications on shaping a digital future and European data strategy). Now that informal trialogue negotiations have concluded, the European co-legislators will have to formally adopt the DGA at first reading, after which it will be published in the Official Journal of the EU (OJ) and enter into force on the 20th day following that of its publication in the OJ. The new rules will apply 15 months after the entry into force of the DGA. The DGA will not apply in the UK following Brexit and the UK government would need to introduce domestic legislation if it wants to align with the provisions (see Legal update, Political agreement reached on European Data Governance Act).

EU Data Act (DA). The DA follows up on the DGA. The proposal aims to facilitate data sharing across the EU and between sectors by increasing trust in data intermediaries and strengthening data sharing mechanisms (see Legal update, Data Act and Database Directive impact assessment and feedback invitation and consultation).

Review of Regulation (EU) 2018/1807 on a framework for the free flow of non-personal data within the EU. The Regulation and the EU GDPR function together to enable the free flow of personal and non-personal data within the EU. The implementation of the Regulation will be evaluated by 29 November 2022 (see Legal update, European Commission publishes guidance on the interaction between the Regulation on the free flow of non-personal data and the GDPR).

Referral to the ECJ for a preliminary ruling on processing of passenger data. The ECJ's ruling is awaited on questions referred from the Cour constitutionnelle (Belgium) in October 2019 about the processing of passenger data for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (Lique des droits humains Case C-817/19). Advocate General Pitruzzella is expected to deliver his opinion on 27 January 2022.

ICO draft direct marketing code of practice. The ICO's consultation on its draft direct marketing code of practice, together with additional practical tools, such as checklists, closed on 4 March 2020 (see Legal update, ICO launches consultation on draft direct marketing code). A spokesperson at the ICO has confirmed to Practical Law that they cannot yet provide an indication as to when the code will be finalised and laid before Parliament, before coming into force. Once in force, as a statutory code of practice, it will provide the ICO with more enforcement power than the direct marketing guidelines made under the Data Protection Act 1998 (DPA 1998). Bearing in mind the government's proposals in relation to direct marketing, it is not beyond the realms of possibility that the ICO may be awaiting the outcome of the DCMS consultation, "Data: A new direction" (no announcement on timing has yet been made) before finalising the code.

DCMS consultation, "Data: A new direction". The UK government has persistently made clear that it will set its own compass in relation to the UK data protection regime and as such, it will be worth keeping a watch on any conflicting requirements between the UK government's proposals in relation to direct marketing and the EU's in its draft e-Privacy Regulation (COM(2017) 10 final) (draft ePR). The DCMS consultation includes the following proposals:

(See Article, DCMS data protection reforms: summary of consultation proposals: Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) (PECR).)

Ofcom and ICO joint action plan on tackling nuisance and scam calls. Ofcom and the ICO will continue their action in five key areas and in 2022 they will publish an update on their progress (see Legal update, Ofcom and ICO publish update to joint action plan on tackling nuisance and scam calls).

Digital Regulation Cooperation Forum (DRCF) 2021/2022 workplan. The DRCF comprises the CMA, Ofcom, the ICO and the Financial Conduct Authority. It was set up to support regulatory co-ordination in digital markets, and co-operation on areas of mutual importance. In 2022, it will continue the work set out in its 2021/2022 workplan (see Legal update, DRCF publishes workplan for 2021/22). This includes:

Draft e-Privacy Regulation (COM(2017) 10 final) (draft ePR). At EU level, the draft ePR aims to establish tighter and clearer rules on electronic direct marketing (such as email, text, fax and live and automated calls). The legislation will not become directly applicable in the UK but, in view of its proposed territorial reach, it will still be important to follow its progress and be aware of any divergences between the final outcome of the UK government's consultation "Data: A new direction" and the ePR once formally adopted. (See Digital Single Market Strategy: Regulation on Privacy and Electronic Communications (ePrivacy Regulation): legislation tracker.)

Employment practices guidance. We expect to see new guidance from the ICO on employment practices following a call for views. This is long awaited and should replace the employment practices code and supplementary guidance under the DPA 1998. The ICO aims to reflect how working life has changed over the last few years. The guidance will cover topics including recruitment and selection, employment records, monitoring of workers and information about workers' health, and will be an evolving resource. (See Practice note, UK GDPR and Data Protection Act 2018: employer obligations.) In the meantime, the CDEI and REC have published guidance on data driven tools in the recruitment sector (see Legal update, CDEI and REC produce guidance on data-driven tools for recruitment sector).

Immigration exemption. On 31 January 2022, the immigration exemption in paragraph 4 of Part 1 of Schedule 2 to the DPA 2018 will become unlawful unless the government requests an extension to the suspension of unlawfulness or makes legislative changes. The government laid draft amending Regulations before Parliament on 10 December 2021 and we should therefore see the legislation amended in order to comply with Article 23 of the UK GDPR. (See Practice note, UK GDPR and DPA 2018: exemptions: Immigration: paragraph 4, Schedule 2 and General.)

Employee monitoring. As workers continue to return to the office or to more permanent hybrid models and, for example, resume travel, employers will continue to face issues such as monitoring of employee productivity at home, and collection of vaccination status and data on work patterns and movements (for example to re-evaluate office space). All of these raise usual, but potentially difficult, data protection compliance issues which employers will need to work through and document (see Data protection accountability toolkit (UK) and Data protection in employment toolkit (UK GDPR and DPA 2018), and Legal updates, Employer monitoring of homeworkers prompts calls for strengthened regulation and All-party Parliamentary Group (APPG) proposes new legislation to curb surveillance technologies and algorithm-determined performance targets). See also Article, Practical Law Employment: what to expect in 2022: COVID-19 and Hot topics in 2022.

Employee rights. Employees will continue to make subject access requests to employers and exercise other data protection rights, for example during employment tribunal claims, and therefore we can always expect to see enforcement action and reminders that employers should have appropriate processes in place to recognise and respond to such requests and that these should be treated separately from employment tribunal disclosures. (See for example Legal update, ICO issues enforcement notice for failure to comply with subject access request and breach of accountability principle during employment tribunal proceedings.)

Whistleblowing. In the EU, member states should have implemented the EU Whistleblowing Directive but many have yet to do so and legislative processes will continue in 2022, creating uncertainties for multinational organisations in making their whistleblowing hotlines compliant. (See Practice note, Whistleblower Programs and EU Data Protection Law Compliance: Overview and Article, Practical Law Employment: what to expect in 2022: Hot topics in 2022.)

UK government proposals on the future of the UK data protection regime. The DCMS' package of global data protection plans aims to boost growth, increase trade and improve healthcare and public services (see Legal update, UK launches post-Brexit global data plans). The package includes:

ICO consultation on personal data international transfers. The ICO is working on bespoke UK SCCs (which it is referring to as international data transfer agreements (IDTAs)) under the UK GDPR (section 119A, DPA 2018 and Article 46(3)(a), UK GDPR) (see Article, ICO consultation on international data transfers: what to do now). The ICO is aiming to provide an update towards the end of January on the following:

Approved codes of conduct (Article 46(2)(e), UK GDPR). No approved codes of conduct for restricted transfers are yet in use, but the ICO is actively working with various sector bodies and associations. The ICO will publish further information once codes of conduct are approved. The ICO welcomes enquiries from organisations who are considering writing, monitoring or signing up to a code of conduct (see ICO website: Codes of conduct).

Approved certification mechanisms (Article 46(2)(f), UK GDPR). No approved certification schemes are yet in use as an appropriate safeguard for international transfers. The ICO will provide separate guidelines in relation to the use of certification schemes as a mechanism to facilitate international transfers in due course.

ICO guidance on Schrems II. The EDPB adopted final Recommendations 01/2020 on measures that supplement transfer tools to ensure compliance with the EU level of protection of personal data (EDPB's Recommendations (01/2020)) to assist controllers and processors with their duty to implement appropriate supplementary measures in the light of the ECJ's ruling in Data Protection Commissioner v Facebook Ireland and Maximillian Schrems (Case C-311/18) EU:C:2020:559). The recommendations apply to the EU GDPR transfer regime but the ICO considers they are still a "useful reference about additional measures" for personal data transfers under the UK GDPR transfer regime, particularly as the ruling still applies in the UK as Retained EU law. The ICO's website states that it "intends to issue its own guidance on this topic in due course". (See Article, European Commission’s new standard contractual clauses: what they mean for UK businesses.)

Potential challenges to UK adequacy decision. Maximillian Schrems has a successful track record in challenging adequacy decisions under the EU GDPR (see Legal update, Schrems II: controller to processor standard contractual clauses valid but EU-US Privacy Shield invalid (ECJ)). Although such concerns may be premature, it must be hoped that he does not turn his attention to the UK adequacy decision adopted under the EU GDPR but, in any event, data protection practitioners should familiarise themselves with requirements in relation to legacy data and the "Frozen GDPR" (see Practice note, Overview of UK GDPR: Frozen GDPR and legacy data).

European Commission SCCs for personal data transfers from the EEA to third countries under EU GDPR. The EU SCCs include many (but not all) of the EDPB's recommendations (01/2020). Contracts using the Data Protection Directive (95/46/EC) SCCs concluded before 27 September 2021 remain valid until 27 December 2022, provided processing operations remain unchanged and are subject to appropriate safeguards. This is likely to create a large burden for data exporters and importers in updating their contracts. (See Articles, European Commission's International Data Transfer Standard Contractual Clauses: What Businesses Need to Know, European Commission's new standard contractual clauses: what they mean for UK businesses and Key Takeaways From the European Commission's Article 28 Standard Contractual Clauses.)

Enhanced EU-US Privacy Shield. Following the ECJ's invalidity ruling in Schrems II, representatives from the US Department of Commerce and the European Commission are intensifying their discussions for an enhanced Privacy Shield framework to comply with the ruling, recognising the vital importance of data protection and the significance of cross-border data transfers to citizens and economies on both sides of the Atlantic. In the meantime, EU organisations transferring personal data to the US will need to rely on alternative data transfers mechanisms such as EU SCCs.

EDPB consultation on Guidelines 05/2021 on the interplay between the application of Article 3 and the provisions on international transfers in Chapter V of the GDPR. The guidelines aim to provide clarity on the interplay between the territorial scope of the EU GDPR (Article 3) and the provisions on international transfers (Chapter V) as well as a common understanding of the concept of international transfers. The public consultation ends on 31 January 2021. Data protection practitioners should keep watch for any differences in EU and UK guidance. (See Legal update, EDPB publishes guidance on interplay between GDPR territorial applicability and international transfers (57th Plenary).)

Approved codes of conduct (Article 46(2)(e), EU GDPR). The EDPB's consultation on draft guidelines (4/2020) on codes of conduct as tools for transfers ended on 1 October 2021. The final version is awaited.

New Information Commissioner's inbox. John Edwards will begin tackling a challenging inbox from 3 January 2022 as the UK's new Information Commissioner (see Legal update, Arrangements for new Information Commissioner announced). Mr Edwards' approach to the post and his personal style will become clearer as he makes his mark on the UK regime, bringing a wealth of data regulatory experience as New Zealand's former Privacy Commissioner and 20 years of experience practising law and specialising in information law. Key issues in 2022 and beyond for the new Information Commissioner will include:

Role of personal data in countering COVID-19 and developing UK's life sciences sector. Public engagement and support are integral to data driven counter measures to COVID-19. The ICO continues to support and guide developers and organisations with the end-to-end process of delivering innovative technical solutions for use in the front line, to help ensure that a high level of public trust in the fair use of their data is maintained. NHS test and trace apps have proved one such success and the ICO's pragmatic regulatory approach will be called on repeatedly as new needs and purposes arise during the ongoing pandemic. Any use of COVID passports to free up international travel and the UK leisure industry will pose a challenge on several levels in 2022, besides respect for data privacy. For more information on the role played by the ICO in the pandemic, see Legal updates, COVID-19: Information Commissioner shares lessons learnt during pandemic and COVID-19: ICO publishes consensual audit report on NHS Test and Trace. See also Data sharing.

The role of health data also figures prominently in the government's ambitions to make the UK a world leader to develop med-tech, new medicines and undertake innovative R&D (see Legal update, Government releases ten-year strategy for UK life sciences sector: Health data). Flows of health data relating to individuals to and from the UK and data sharing will come under the remit of the ICO, which will be charged with shaping any new data laws required to underpin public trust that this most sensitive of data will be processed securely and fairly.

ICO annual tracking research. The results of the ICO's 2021 survey about the public's awareness and perceptions of their information rights and their trust and confidence in organisations who use their personal data (see Legal update, ICO publishes 2021 annual tracking research), showed that levels of trust and confidence in how companies and organisations store and use personal information had remained broadly stable since 2020, and that around one in seven people are more likely to be comfortable with their personal information being shared in the public sector as a direct result of the COVID-19 pandemic. Will the 2022 survey demonstrate that a similarly high level of public trust is being sustained in contact tracing apps and the other increasingly technology-based solutions being deployed by the government and other public health focused organisations?

What next for the immigration exemption? The Court of Appeal ruled that the immigration exemption in the DPA 2018 will be declared unlawful, but that declaration will be suspended until 31 January 2022 to provide a reasonable time for the legislation to be amended. The effect of this announcement is that the government has until 31 January 2022 to pass legislation to amend the exemption in paragraph 4, failing which the exemption will be declared unlawful and become invalid from the end of January 2022. Regulations amending the exemption have now been laid before Parliament and are expected to come into force before the January deadline. Bearing in mind the high level of scrutiny the exemption has received from the judiciary, EU bodies and pressure groups up to and including the Court of Appeal's judgment, it will be interesting to see if the new checks and balances on the Home Secretary's use of the exemption attract fresh challenges. For more information on the path to rehabilitation for the exemption, see Legal updates, Declaration from Court of Appeal that immigration exemption is unlawful suspended until 31 January 2022 , Court of Appeal judgment on data protection immigration exemption published and Regulations amending DPA 2018 immigration exemption laid before Parliament.

CDEI work programme for 2022. The CDEI sees consistent and recurring challenges facing the government, industry and regulators that include developing and maintaining accountability when deploying data-driven technologies, a need to address the transparency and explainability of data-driven systems and the question of improving access to high quality data. Over the next year it plans to prioritise the themes of facilitating responsible data sharing across the economy, the responsible development, deployment and use of AI and data across the public sector and helping to lay the foundations for the development of a strong AI assurance ecosystem in the UK. (See Legal update, Centre for Data Ethics and Innovation publishes two-year review.)

Proposed legislative changes to subject access. The government is considering whether to introduce a fee structure (modelled on the Freedom of Information Act 2000) for access to personal data held by all controllers to help with the issues relating to controllers' capacity to respond to requests based on factors including time, cost and scope and the threshold for responding. Proposals include introducing a cost ceiling, re-introducing a nominal fee and amending the thresholds for response and for what constitutes "manifestly unfounded". (See Article, DCMS data protection reforms: summary of consultation proposals: Subject access requests (DSARs) (section 2.3).)

ICO guidance on subject access for law enforcement. The ICO has opened a consultation on draft detailed guidance that explains the rights of access individuals have under Part 3 of the DPA 2018 to personal data held about them for law enforcement purposes, and the obligations on competent authorities to comply with subject access requests. The consultation closes on 11 March 2022. See Legal update, ICO launches consultation on draft guidance for competent authorities on subject access rights.

Automated decision-making. In relation to automated decision-making, although the government has not proposed legislative changes, it sought views on clarifying the limits and scope of what constitutes "a decision based solely on automated processing" and "produc[ing] legal effects concerning [a person] or similarly significant effects" and any alternative suggestions to address the problem. It also sought views on whether Article 22 of the UK GDPR is sufficiently future-proofed, practical and proportionate, while retaining meaningful safeguards and on the Taskforce on Innovation, Growth and Regulatory Reform's recommendation that Article 22 should be removed, allowing solely automated decision-making where it meets a lawful ground and subject to compliance with the rest of the data protection legislation. (See Article, DCMS data protection reforms: summary of consultation proposals: Automated decision-making and data rights and Cookies.)

Age assurance and children's rights. The ICO issued a call for evidence on specific areas related to age assurance in the context of the Children's Code which closed on 9 December 2021 and may inform guidance. The ICO also plans to review the Children's Code in September 2022. (See Practice note, Children and the law: data protection aspects (UK).) In addition, in 2021 the ICO approved two certification scheme criteria relevant to children (one for age assurance and one looking at children's online privacy) and therefore we may see take up of these schemes (see Legal update, ICO approves first certification scheme criteria). Separately, the Age Assurance (Minimum Standards) Bill received its second reading in the House of Lords in November (see Legal update, Age Assurance (Minimum Standards) Bill receives second reading in House of Lords) although, as a Private Members' Bill, it remains to be seen how far this will progress.

Review of Human Rights Act 1998 (HRA 1998). In December 2021 the government published a consultation on reforming the HRA 1998 and replacing it with a UK Bill of Rights. The consultation closes on 8 March 2022. See Legal update, Government publishes consultation on reforming Human Rights Act 1998 and replacing it with a UK Bill of Rights (December 2021) and Articles, Practical Law Employment: what to expect in 2022: Hot topics in 2022 and Practical Law Public Sector: what to expect in 2022: Equality and human rights.

Online safety. The Online Safety Bill will apply to services that host user-generated content, services that facilitate online interaction between users (that is, social media providers) and search engines and includes the duty to protect rights to freedom of expression and privacy. (See Practice note, Online Safety Bill and Article, Practical Law IP&IT: what to expect in 2022: Online platform regulation.)

Restrictions on data subject rights. At the EU level, the EDPB adopted a final version of its guidelines (10/20) on restrictions on data subject rights under Article 23 of the GDPR which may impact on the restrictions to data subject rights in place locally in EU member states. For an example of how a restriction has been found unlawful under the UK legislation, see Employee data and monitoring.

Case law. Data subject rights often feature in case law in the UK, EU and ECHR and we are therefore likely to see further cases in 2022. (See for example Legal update, Requirement to de-index online article did not violate Article 10 (ECHR) and Opinion that the GDPR does not prevent consumer protection associations from bringing legal proceedings for infringements of data protection rights (Advocate General).)

EDPB guidance. The EDPB may issue guidelines on data subject rights and on children's data in 2022 (see Legal update, EDPB publishes 2021/2022 work programme (46th Plenary)).

Updated Surveillance Camera Code of Practice. The code has been updated to bring it into line with data privacy requirements under the UK GDPR and DPA 2018 and to reflect the judgment in R (Bridges) v Chief Constable of South Wales Police and others [2020] EWCA Civ 1058 and will come into effect from 12 January 2022. For further details, see Legal update, Update to Surveillance Camera Code of Practice.

Expanded surveillance camera oversight role for ICO. One of the proposals in the DCMS package of reforms for the UK data protection regime ("Data: A new direction") is for the ICO to expand its role to take on the functions of the current Biometrics Commissioner and Surveillance Camera Commissioner. This expansion of its remit has been welcomed by the ICO in its published response to the DCMS consultation and details of how these new functions will be aligned with the ICO's existing responsibilities will become clearer later next year. (See Article, DCMS data protection reforms: summary of consultation proposals: Biometrics Commissioner and Surveillance Camera Commissioner (section 5.9) and Legal update, ICO response to DCMS consultation on future of UK data protection regime: Chapter five – ICO reform.)

ICO focus on use of LFR technology. The ICO's attention will remain firmly fixed on the risks to data protection rights from inappropriate use of live facial recognition technology (LFR) and a future where LFR is integrated with CCTV camera systems and combined with social media data to produce "supercharged CCTV", powered by big data. Organisations contemplating developing or using LFR for surveillance purposes should be aware from recently published blogs and Commissioner opinions on the use of LFR in public places (see Legal update, ICO publishes Commissioner's Opinion on use of LFR in public places for non-law enforcement purposes) just how seriously the Information Commissioner regards those risks. Organisations are on notice that a high bar has been set to justify the use of LFR and the pursuit of public protection objectives must be balanced fairly against the inherently privacy sensitive nature of LFR systems and any risk to the data privacy rights of individuals. Nothing less than high standards of governance, accountability and data protection by design, including being able to justify that the use of LFR is fair, necessary and proportionate in each specific context in which it is deployed, will be expected by the ICO.

Result of investigation into leak of DHSC CCTV footage. Scenes filmed via a DHSC CCTV system of the then Health Secretary gained widespread public attention and the privacy and data protection issues arising from their disclosure to the media are of great interest to the data professional community. The ICO launched an investigation into an alleged data breach relating to the images being removed from the system without consent, including whether any criminal offences had been committed. This is a high profile investigation and its outcome is eagerly awaited from many perspectives, including developments for privacy rights in the workplace. For more information about the investigation, see Legal update, ICO confirms investigation into Department of Health and Social Care CCTV footage.

Further data privacy complaints concerning video doorbells. The judgment in Fairhurst v Woodard (Case No G00MK161) (12 October 2021) generated extensive media attention on the use of doorbell cameras and domestic surveillance cameras being in breach of UK data protection laws. This was a County Court judgment and strictly sets no precedent, but the reasoning applied by the judge and the facts of the case could encourage other claimants to bring legal proceedings for alleged data protection breaches. Will the ringing in of the New Year herald a spate of similar video doorbell claims? For a report on this case, see Legal update, Use of security cameras and video doorbell breached data protection law (County Court) and Sanctions and remedies.

New ICO guidance and prospect of strengthened regulation for employer monitoring of homeworkers. Advances in technology have helped smooth the transition for many employees from office to home working but the risks to their data privacy rights from the inappropriate use by employers of monitoring technology has come under recent scrutiny (see Legal updates, Employer monitoring of homeworkers prompts calls for strengthened regulation and All-party Parliamentary Group (APPG) proposes new legislation to curb surveillance technologies and algorithm-determined performance targets). The report from an All-party Parliamentary Group called for the introduction of an Accountability for Algorithms Act to update digital protection for the rights of employees. In addition to any further steps forward to a new Act in 2022, the ICO will be publishing new data protection and employment practices guidance and products. This will reflect changes in the UK data protection regime and the more extensive use of technology by employers in workplaces. For further details, see Legal update, ICO calls for views on data protection and employment practices guidance and Employee data and monitoring.

AI. The ICO has been consulting on the beta version of its AI and Data Protection Risk Toolkit, with the consultation closing on 1 December 2021. We can therefore expect to see updates to the toolkit which was published in July 2021. The ICO may also take into account its findings from the Clearview investigation (see Legal update, ICO confirms intention to fine Clearview AI Inc over £17 million for alleged serious breaches of UK data protection laws and Sanctions and remedies).

The adoption of data foundations and AI is also a topic of interest to the DCMS and we may see further government initiatives and investment in this area. In particular, in its consultation ("Data: A new direction"), the DCMS sought views on how to achieve fairness, for example, fair use, procedural fairness and outcome fairness processing in an AI context. It also sought views on building trustworthy AI systems, monitoring, detecting and correcting bias in relation to AI systems and automated decision-making and data rights, and a white paper is expected in 2022. (See Practice note, Demystifying artificial intelligence (AI), Article, DCMS data protection reforms: summary of consultation proposals: AI and machine learning (section 1.5) and Legal updates, ICO launches consultation on beta version of its AI and Data Protection Risk Toolkit and DCMS publishes research into data foundations and AI adoption in private and third sectors.)

At the EU level, the European Commission's work programme for 2022 includes a proposal for a Regulation to harmonise the rules on AI (see Regulation laying down harmonised rules on artificial intelligence (Artificial Intelligence Act): legislation tracker).

See also Articles, Trends in information technology law: looking ahead to 2022: Artificial intelligence (AI) and Practical Law IP&IT: what to expect in 2022: AI.

Regulatory co-operation. We expect to see further co-operation between regulators following the appointment of a new Chief Executive of the DRCF, established in 2020 by the CMA, Ofcom and the ICO to ensure a greater level of co-ordination between the different regulators of online services in order to drive a coherent approach to digital regulation. One topic being worked on is end-to-end encryption and online safety and the DRCF has also launched a technology horizon scanning programme to provide a coherent view of new and emerging digital markets and technologies. The ICO is also continuing to work with the CMA in relation to Google's Privacy Sandbox. (See Legal updates, DRCF publishes workplan for 2021/22, Chief Executive of Digital Regulation Co-operation Forum appointed, Digital Regulation Co-operation Forum launches technology horizon scanning programme, Information Commissioner publishes opinion on online advertising and privacy, CMA consults on modified commitments offered by Google in abuse of dominance investigation arising from Google's "Privacy Sandbox" browser changes and ICO publishes paper on end-to-end encryption. See also Cookies and Article, Practical Law UK Competition: what to expect in 2022).

Digital identities. We may see further work on digital identities following the DCMS consulting on its proposed framework (see Legal update, Government consults on operation of digital identity system). The EU proposals for an update to the rules on electronic identification will also have an impact on digital business models in the EU (see Practice note, Electronic Identification and Trust Services Regulation (eIDAS): European Commission review).

Public sector. Working with the CDEI, the government has published a standard for ensuring the transparency of algorithms, for use by government departments and public sector organisations. The standard will be the subject of a pilot project and the government will then seek the Data Standards Authority's formal endorsement of it in 2022. (See Legal, Government pilots public sector algorithmic transparency standard.) We may also see guidance on and investigations into the use of cloud-based services by the public sector following the EDPB selecting this topic as its first co-ordinated action (see Legal update, EDPB launches first co-ordinated action on use of cloud-based services by the public sector).

EU strategy. At the EU level, the European Commission is proposing to update its 2012 European strategy for a better internet for children in the light of changes in children's use of digital technology, the acceleration of digital transformation caused by COVID-19 and the "Digital Decade" (see below). (See Legal update, European Commission roadmap on updating strategy for better internet for children.)

EU DGA. At the EU level, as well as efforts on the proposed Path to the Digital Decade, we are likely to see further progress on the DGA which will seek to encourage the sharing of data (both personal and non-personal) generated by public authorities, private sector organisations and individual citizens (data holders) by providing a good governance framework. (See Legal updates, State of the Union: European Commission proposes Path to the Digital Decade to deliver EU's digital transformation by 2030 and Political agreement reached on European Data Governance Act. See also Article, Trends in information technology law: looking ahead to 2022 and Data sharing.)

Digital trade and competition. The G7 countries agreed five digital trade principles in 2021, one of which is data free flow with trust which involves addressing concerns around data localisation requirements being used for protectionist and discriminatory purposes, looking at more commonality in regulatory approach and consensus on common principles for government access to personal data held by the private sector. Earlier in 2021, the UK government had published a similar five-point plan for digital trade and the Board of Trade has published a report identifying eight priorities for UK trade policy, one of which is to centre its digital trade policy around those five points. (See Legal updates, G7 countries agree digital trade principles, Government publishes five-point plan for digital trade and Board of Trade publishes report on digital trade.) We can therefore expect to see data protection regulation continue to play an important role in digital trade. In relation to competition, the CMA, as part of the UK's Presidency of the G7, has published an independent report providing a compendium of approaches to improving competition in digital markets and at the EU level, the European Commission's proposal for a regulation to ensure contestable and fair markets in the digital sector (Digital Markets Act) continues to progress (see Legal updates, CMA publishes compendium of approaches to improving competition in digital markets and Council agrees general approach on Digital Markets Act proposal.) See also Article, Trends in information technology law: looking ahead to 2022 and Data sharing.

EDPB guidance. The EDPB continues to have a watching brief on legal implications relating to technological issues, such as cloud, AI and machine learning, digital identity, data brokers, internet of things and payment methods We may also see specific guidelines on blockchain and on anonymisation and pseudonymisation. (See Legal update, EDPB publishes 2021/2022 work programme (46th Plenary).)

New SCCs for controller and processor transactions. It remains to be seen whether the ICO will produce a set of UK standard contractual clauses (SCCs) for controller processor transactions or adopt the SCCs produced by the EC in June 2021 (see Legal update, European Commission adopts final versions of standard contractual clauses under EU GDPR). Either option would likely be welcomed by SMEs in 2022 because a new set of SCCs approved for UK use would become the default standard for organisations or the benchmark against which other clauses will be measured and ease the burden of complying with the contracting requirements under Article 28(3) of the UK GDPR. See Exporting personal data.

Five-point plan for digital trade. A key element of the Department for International Trade (DIT) five-point plan to boost digital transactions and the UK economy concerning the free flow of data (see Legal update, Government publishes five-point plan for digital trade Department for International Trade) relies on the ICO's support to help ensure its success. The DIT's vision to remove unjustified barriers encountered by data as it transfers along international digital superhighways is shared by the ICO, provided that any personal data is safeguarded to the high standards of UK data protection laws. Exactly how those twin goals are to be achieved should become clearer in 2022. See Technology.

Part of the ICO's role will be to help develop rules and provide regulation that ensure "data flows with trust", and will sustain consumer trust that data relating to them will be protected by robust laws when it is processed by new data driven products and business models (see Legal update, ICO releases summary of discussions between G7 data protection authorities).

Business enabling data protection laws. In the ICO's response to the DCMS consultation on data protection reform ("Data: A new direction") (see Legal update, ICO response to DCMS consultation on future of UK data protection regime), it acknowledged the UK's new found freedom to adapt data protection laws to be a business enabler and develop reforms to help UK businesses employ risk-based, practical approaches to meeting their data protection obligations when transferring data from the UK. For information on the ICO's work programme for international transfers of data, see Exporting personal data.

Digital friendly EDPB work programme. The EU GDPR's role in boosting digital transactions is a key pillar of the EDPB work programme for 2021/2022 (see Legal update, EDPB publishes 2021/2022 work programme (46th Plenary)). Publications anticipated from the EDPB for 2022 include guidelines on blockchain, anonymisation and pseudonymisation, facial recognition in law enforcement and topics such as AI, cloud computing, internet of things and data brokers. Although EDPB guidelines are no longer directly relevant to the UK regime, and are not binding under the UK regime, the ICO has confirmed they may still provide helpful guidance on certain issues.