Here is our round-up of the most significant data protection developments in the UK and overseas in recent weeks.
- Key Insights
- Government Regulatory Activity
- Enforcement Actions
Data Breaches. How can you stay protected?
There have been an alarming number of data breaches in the past few weeks.
Although the ones involving Uber, Take Two Interactive, and American Airlines have grabbed the most headlines, smaller organisations have also seen increases in the frequency of breaches, due to external attacks and internal errors.
To help our clients and the general public, we published two articles providing actionable tips organisations can use to deal with breaches and reduce the likelihood of recurrence.
GOVERNMENT AND REGULATORY ACTIVITY
Data Protection and Digital Information Bill Stalled
The Data Protection and Digital Information Bill was to proceed to the second reading stage on the 5th of September, but was instead withdrawn from the day’s House of Commons business “to allow ministers to consider the legislation further”. The motives for the withdrawal remain unclear and although there has been speculation as to the changes (if any) that could be made to the draft, what is certain is that the current legislative framework will continue to be in force for the foreseeable future. The final law, if passed, will look considerably different from the draft; our founder Nigel Gooding had analysed this in his blog when it was first announced – Data, a New Direction
ICO Launches Second Consultation on Journalism Code of Practice
Exercising its powers to issue codes of practice under Section 124 of the Data Protection Act 2018 (DPA 2018), The Information Commissioner’s Office (ICO) has launched a second consultation on a draft code of practice about using personal data for journalism. The code provides practical guidance on how to comply with data protection legal requirements and good practice when using personal data for journalism, with a focus on providing guidance on complying with the principles set out in the DPA and UK GDPR. The consultation is currently open on the ICO website and closes on the 14th of November.
California Passes Children’s Online Safety Law
California state lawmakers passed a major children’s online safety measure – the California Age-Appropriate Design Code Act, that would require digital platforms to vet whether new products may pose harm to kids and teens before rolling them out; offering privacy guardrails to younger users by default. The law was subsequently approved by the governor and is due to take effect on July 1, 2024.
European Union Digital Services Proposals
Earlier in the year, the European Commission proposed two legislative initiatives to reform the rules governing digital services in the EU: the Digital Services Act (DSA) and the Digital Markets Act (DMA). On 25 March 2022, a political agreement was reached on the Digital Markets Act, and on 23 April 2022 on the Digital Services Act. Both laws contain sweeping changes to the obligations of large digital service providers, especially social media, and content platforms, including regular risk assessments and increasing transparency regarding how personal data is utilised for advert targeting.
UK International Data Transfer Agreement (UK IDTA) Deadline Passes
The deadline for UK controllers transferring personal data outside the EEA, and ‘adequate’ countries to update their international data processing procedures, elapsed on the 22nd of September. Previously, organisations could use the EU Standard Contractual Clauses (EU SCCs), but there are only two options for new agreements now:
1. The UK International Data Transfer Agreement (UK IDTA) or
2. The UK addendum which can be used to comply with the requirements in the EU and UK.
In either case, the controller would need to conduct a transfer risk assessment and ensure that appropriate safeguards are in place to protect the data subjects from any identified risks.
ICO Commences Investigation into TikTok
The UK Information Commissioner’s Office announced that it had conducted an investigation into TikTok as part of its focus on protecting children’s privacy, and had found that TikTok may have breached UK data protection law by failing to protect children using its video service. It has thus issued TikTok with a ‘notice of intent’ outlining that it intends to fine the company up to £27 million, subject to further investigation and the defence put up by TikTok.
Meta (fka Facebook) fined €405m over Instagram’s handling of teens’ data
Instagram owner Meta has been fined €405m (£349m) by Ireland’s GDPR supervisory authority (the Data Protection Commission) for letting teenagers between the ages of 13 and 17 set up accounts that publicly displayed their phone numbers and email addresses. The app’s registration system set the profiles to “public” by default, thus violating the obligation Meta had under the GDPR to keep digital services targeted at children at a high level of privacy and transparency.
ICO Issues Formal Reprimand to the Ministry of Defence, Home Office and 5 other Organisations
On the 28th of September, the Information Commissioner’s Office announced that it had taken action against 7 organisations for failing to respond to information access requests from members of the public. The Ministry of Defence was found to have a Data Subject Access Request (DSAR) backlog dating back to 2020, while the Home Office was singled out for having a significant backlog between March 2021 and November 2021. Other organisations on the list were the London Boroughs of Croydon, Lambeth and Hackney, Kent Police, and Virgin Media, although in their case, the ICO noted that there had been improvements in their SAR turnaround recently.