Welcome to the February 2022 edition of the Privacy Points newsletter from Ashfords LLP’s Privacy Team.
2022 is already shaping up to be an influential year for data protection. A new contractual mechanism for data transfers has already been presented to Parliament for adoption in March, and we may well see some further reforms to the UK’s data privacy regime following last year’s consultation by the Department for Digital, Culture, Media and Sport (the “DCMS”).
As we progress into 2022, it is also important to look back at last year, which itself featured a number of significant shifts, including:
- The introduction of the Children’s Code for certain online services.
- The ruling of Lloyd v Google regarding data breach claims and damages.
- The EU granting the UK an Adequacy Decision.
We have included below a selection of last year’s major topics, as well as a flavour of things to watch in the year ahead.
Looking back
The ICO Data Sharing Code
In October 2021, the ICO’s Data Sharing Code of Practice (the “Code”) came into force. The Code is designed to resolve misconceptions around data sharing relationships, including requirements for agreements between two or more controllers (for which the UK GDPR does not set out a list of prescribed provisions). Uncertainty around legal requirements has led to organisations being hesitant to share personal data due to fear of non-compliance.
Installing cookies without consent: potential claims and damages based on Lloyd v Google
In November 2021, judgment was given in the case of Lloyd v Google LLC [2021] by the Supreme Court. The case related to a claim against Google for installing cookies on iPhones without the users’ knowledge or consent; those affected theoretically numbered in the millions.
How has withdrawing from the EU affected the UK's data protection regime?
Following the UK’s withdrawal from the EU at the start of 2021, the UK was left with a bridging period during which data flows could continue unhindered between the EU and the UK. Without this bridging period, the UK would have been considered a third country for data transfers – this would have resulted in restraint on data flows between the two jurisdictions. Towards the end of the bridging period, the EU issued an Adequacy Decision, confirming that the UK’s data protection regime is sufficiently equivalent to the EU’s regime.
The ICO’s Children’s Code
The ICO introduced the Children’s Code (the “Code”) in September 2020. It establishes a code of practice to protect children’s digital privacy, acknowledging that children’s personal data should be afforded additional protection, whilst ensuring that children receive “best possible access” to the internet in the UK. Any persons under the age of 18 are “children” for the purpose of the Code.
Looking forward
International Data Flows and the IDTA
In February of this year, the DCMS placed a new set of documents before Parliament – the International Data Transfer Agreement (the “IDTA”), an International Data Transfer Addendum to the EU’s revised standard contractual clauses (the “UK Addendum”), and supporting transitional provisions.
A post-Schrems II Privacy Shield?
The USA has not been granted an Adequacy Decision by either the UK or the EU. Until 2020, the Privacy Shield scheme served to legitimise data transfers from the UK or EU to the USA, for organisations certified by Privacy Shield. However, following the much publicised Schrems II decision, the Privacy Shield scheme was ruled inadequate.
End-to-End Encryption
Over the past several years, the Home Office has begun to push for stronger controls regarding end-to-end encryption (‘E2EE) in particular for social media apps such as WhatsApp or Signal. Recently, the debate has begun to intensify, as the scales are weighed between freedoms and safety.
The Past Year’s Webinars
We have also held a number of data protection webinars throughout the past year, covering a diverse number of topics. Our recordings can be accessed through the Ashfords LLP Youtube channel, or via direct links below:
- Handling Data Breaches
- AdTech
- Processing Special Category Data
- International Transfers and the UK Adequacy Decision
If you would like more information on the above, please contact the Data Protection team. If you would like to receive our bulletins on a regular basis, please click here.