An extract from The Privacy, Data Protection and Cybersecurity Law Review, 8th Edition
Like other countries in Europe, the United Kingdom (UK) passed legislation designed to supplement the data protection requirements of the European Union (EU) General Data Protection Regulation (GDPR),2 which came into force on 25 May 2018, repealing the EU Data Protection Directive 95/46/EC (the Data Protection Directive).3 The GDPR regulates the collection and processing of personal data across all sectors of the economy. The UK Data Protection Act 2018 (the DPA 2018), which came into force on 23 May 2018, repealed the UK Data Protection Act 1998 (the DPA 1998) and introduced certain derogations that further specify the application of the GDPR into English law. In addition to transposing the data protection and national security provisions of the EU Law Enforcement Directive 2016/680 (Law Enforcement Directive),4 the DPA 2018 grants powers and imposes duties on the national data supervisory authority, the UK's Information Commissioner's Office (ICO). Importantly, following the UK's withdrawal from the EU (more commonly known as Brexit) and the expiry of the Brexit transition period, which ended on 31 December 2020, the GDPR has been implemented into English law as the 'UK GDPR'. The GDPR will therefore be retained into domestic law but the UK will have the independence to keep the framework under review and introduce additional provisions and derogations. Further, although the UK no longer forms part of the EU, and, in turn, is not bound by the decisions of the Court of Justice of the European Union (CJEU) or of European bodies such as the European Data Protection Board, the ICO has confirmed that the UK is still bound by the CJEU's Schrems II decision handed down on 16 July 2020. Further details on the Schrems II decision and its repercussions are provided in Section VII.
Further, while transfers of personal data from the UK to the EU remain unrestricted and do not require additional safeguards, transfers of personal data from the EU to the UK under the terms of the Trade and Cooperation Agreement agreed between the EU and the UK on 24 December 2020, only remained unrestricted until 30 June 2021. During this six month 'bridging period' following Brexit, the European Commission assessed the UK's data protection laws and on 28 June 2021 approved adequacy decisions for the UK: one under the GDPR and one under the Law Enforcement Directive (Adequacy Decisions). In its assessment, the European Commission determined that the UK's data protection laws are essentially equivalent to the data protection laws ensured within the European Economic Area (EEA). As a result of the Adequacy Decisions, personal data can continue to freely flow from the EU to the UK without the need for a data transfer mechanism being in place. The UK's Adequacy Decisions are limited to four years, following which the UK's adequacy may be renewed on the condition that the UK continues to provide an adequate level of data protection.
The year in review
The ICO has published a variety of guidance addressing compliance with the GDPR5 and the DPA 2018 including in relation to the impact of Brexit to help organisations prepare for the end of the transition period.6 Further details on the impact of Brexit are provided in Section VII.
Following the entry into force of the GDPR, the ICO has reported receiving large volumes of personal data breach notifications and complaints from individuals. During the 2020/2021 period, the ICO has received 9,532 personal data breach notifications, down from 11,854 in the previous year.7 Due to the impact of covid-19, the ICO has reportedly had to adapt its regulatory approach, recognising that 'organisations are trying to operate during uncertain and challenging times' and as a result in relation to personal data breach notifications, it will assess these reports, taking an appropriately proportionate approach.8
Naturally, a significant amount of the ICO's regulatory activity this year has involved issuing guidance on how to comply with data protection requirements during the ongoing coronavirus covid-19 pandemic, 'Data protection and coronavirus: advice for organisations', with advice on contact tracing, testing, vaccination and covid-19 status checks, surveillance and updates to privacy notices to incorporate new purposes of personal data processing. Moreover, the ICO finalised a new Age Appropriate Code in September 2020 to set out the standards expected of those responsible for designing, developing or providing online services likely to be accessed by children. The Code requires digital services to automatically provide children with a built-in baseline of data protection and privacy whenever they download a new app or game or visit a website.
Finally, on 11 August 2021, the ICO launched a public consultation on its draft transfer risk assessment tool (TRA) to assist organisations when completing the transfer privacy impact assessment as required by the Schrems II decision as well as a new draft international data transfer agreement (IDTA) to deal with restricted transfers of personal data from the UK. The ICO has noted that the primary purpose of the consultation, which ends on 7 October 2021, is to understand the practical impact of its proposed approaches on impacted organisations and, in turn, has sought feedback from a variety of stakeholders including data protection practitioners, multinational companies, and SMEs and legal professionals. For further details, see Section VII.
Although there have been a number of developments in the past 12 months, including in relation to dealing with covid-19 related issues, there is no doubt that one of the more significant developments has been dealing with international transfers following the Schrems II case, the UK publishing its draft IDTA and TRA and the UK receiving Adequacy Decisions from the European Commission. As the UK's Adequacy Decisions will automatically expire after four years (i.e., in June 2025), this may present the UK with some challenges in trying to balance paving its own way forward in relation to data protection in the UK while ensuring that its data protection standards do not deviate in such a way that the renewal of its adequacy status is threatened in 2025.
More generally, as issues related to covid-19 recede, we expect there may well be a resurgence in enforcement action by the ICO in the coming months as well as an increase in consumer privacy litigation.