In 19Th July 2022 Information Commissioner’s Office (ICO) held its annual Data Protection Practitioners Conference – the first since John Edwards became Commissioner. There is no shortage of content on a wide range of topics including international data transfers and the role of the ICO.
Your DAC Beachcroft data protection and cyber team are on call and listening carefully to choose the best.
A key theme running through many of them is the ICO’s strategic plan “ICO25” and, in particular, four strategic objectives proposed to (i) protect and empower people; (ii) strengthen responsible innovation and sustainable economic growth; (iii) promote openness, transparency and accountability; and (iv) continue to develop the culture, capabilities and capacity of the ICO. These goals will drive ICO activity and enforcement over the next three years. The plan is open for consultation until September 22 and will be finalized in the Autumn.
Reform: Digital Data and Information Protection Bill
There was a generally positive view from the Conference on the proposed Data Protection and Digital Information Bill and the reform of the UK data protection regime. It is recognized that the proposed reforms strike a good balance between improvements and giving people confidence in the use of their personal data. In terms of accountability, the ICO is positive about replacing the role of Data Protection Officer with a senior responsible individual, as this will increase flexibility for businesses to meet their data protection obligations. The ICO also expressed optimism about the benefits the reforms will have in allowing organizations to take a proportionate approach based on the type of data they use. Although it is noted that it is too early to know the impact of the proposed UK law reform on cross-border data transfers, it is recognized that this is a long list of issues that the Government needs to address. In terms of future EU adequacy findings for the UK, the ICO appears confident that data is just as protected in the UK as it is in the EU. Overall, the ICO emphasizes its commitment to providing appropriate support to organizations in complying with the legislation in the future and welcomes the increased ability to provide its own resources.
A detailed update on the Data Protection and Digital Information Bill is forthcoming.
Technology and Innovation
In one of the Conference sessions, Adam Ingle from the new foresight team summarized the following 5 emerging technologies that the ICO will focus on in the next year, all of which involve the processing of personal data in an innovative way:
- Biometric technology – An emerging and controversial use of biometric data is to infer the emotional state of others, using algorithms to predict, for example, whether a person with an agitated facial expression or a certain gait may pose a security threat and alert security staff to treat them. he suspiciously.
- Blockchain – while Blockchain offers significant potential to share data more freely, without the risk of data loss, it also poses challenges from a privacy point of view – because private data in Blockchain will be available to anyone who can see it without limits, and it cannot be done. anonymously.
- Smart space – The next generation Internet of Things (IoT) will involve interconnected environments, for example, micro sensors in the office and home environment collecting data that blurs the distinction between data collected in the office and home.
- Immersive technology – there are question marks about how to improve and virtual reality in relation to the right to information and certain concerns about using such data for example for targeted advertising.
- Privacy enhancing technology – PET – solutions such as a trusted execution environment offer the potential to improve data anonymity and security, so companies can maximize the value of data sharing, etc.
Responsible AI building
This presentation focuses heavily on the ICO’s “AI and Data Protection Toolkit”, which is designed to:
- identify risks to the rights and freedoms of individuals caused by the use of AI systems;
- linking these risks to what is required under the UK GDPR;
- then provide practical measures to help mitigate identified risks; and
- making it easier for companies using AI to comply with data protection laws at each “stage” of the AI lifecycle.
Practical steps that organizations can take when a risk is identified fall into the following three categories: (1) a “must“which represents the legal requirements, (2) a”must“which represent what the ICO considers to be best practice, or (3) “can” that represents optional good practice The ICO hopes that this tiered system will make decisions when faced with data processing risks a simpler and more manageable process.
The ICO believes in particular that the following three general groups will benefit from the Toolkit: risk and governance team (e.g. DPO and/or Legal and Compliance functions), AI model development teamand members of an organization senior leader (as the individual may give his consent to the data processing carried out in the AI system).
International Data Transfer
During another session, the ICO revealed its much-anticipated approach to TRAs, and is expected to publish guidance on this at the latest in September.
Emma Bate, Director of Legal Services at the ICO, gave a preview of what we can expect this summer, noting that the guidance has not yet been officially signed. Even so, he said, it gives a sense of the ICO approach.
Two main options regarding the approach to TRA have been outlined:
- Option one: an assessment that compares UK law and practice (including UK GDPR) with destination country law and practice; or
- Option two: assessment comparing the position of the data subject in the specific circumstances of the transfer (a) if the data remains in the UK and (b) if the transfer is proposed to continue.
For organizations operating in the UK and Europe, or for those already working on a TRA process based on the EDPB guidance, this is good news: option one means that a TRA based on the EDPB guidance will meet the ICO requirements. If you want, then you can use the same process for Europe and UK.
The TRA tool proposed by the ICO will involve a seven-step process and will include consideration of the level of risk for data subjects in the personal data you transfer. What is also evident is the recognition that the TRA process must be adequate and proportionate to manage the organization.
We all await the final publication of the guide.
Data breach compensation claims – a new role for the ICO
In a panel session entitled “Ask the ICO”, John Edwards was asked to explain the key differences between his current role as UK Information Commissioner and his previous role as New Zealand’s Privacy Commissioner. Interestingly, the response provides guidance on mechanisms in New Zealand for individuals to raise concerns about data protection complaints and allegations of hardship to the Privacy Commissioner directly. In New Zealand, John Edwards explained, the Privacy Commissioner investigates complaints and if there is a legitimate claim for compensation, it will help negotiate a settlement between the individual data subject and the organization. There is no such mechanism in the UK to date. In the UK, we have seen a significant increase in data breach compensation claims over the past two years, but these are usually handled by legal claims firms, in correspondence with the data controller, or their lawyers, directly.
John Edwards notes that there are “there is scope for [the ICO] to emulate that [in the UK]“, and the ICO will use a “dispute resolution mind”, where it is possible and reasonable to do so. It is not yet seen how the ICO envisages this role will be implemented but it is clear from John Edwards’ statement that it is on the agenda of the ICO. While this may be welcome news to data controllers who receive a large number of requests for compensation claims, we suspect that the news will not be well received by the claiming law firms who may end up losing business. We asked how the move would be resourced given the pressures on ICO staff. Perhaps a new compensation claims ombudsman should be created to deal with the huge number of compensation claims being received as we suspect the regulator will not have the capacity to deal with this!
The conference comes just a day after the launch of the new Digital Data and Information Protection Bill. As well as making amendments to core data protection laws, the Bill (as currently drafted) seeks to change the way ICOs themselves are formed and operated. We will issue a full analysis of the Bill in due course.