What’s ahead for the Information Commissioner’s Office in 2021?
The role of the ICO post-Brexit
The ICO is the UK’s independent regulator who oversees and enforces the UK’s data protection regime. From 1st January 2021 as the ICO’s website states “… the UK General Data Protection Regulation together with the amended Data Protection Act and Privacy and Electronic Communications Regulations will comprise the personal data protection legislation in the UK.” The Trade and Co-operation Agreement (ETCA) agreed between the UK and the EU on 24th December 2020 agreed a ‘data-bridge’ which provides for the continued free flow of personal data from the EU and EEA EFTA States to the UK until adequacy decisions are adopted, and for no longer than six months. The UK has, on a transitional basis, deemed the EU and EEA EFTA States to be adequate to allow for data flows from the UK.
Post-Brexit and in relation to international data flows, the ICO will have three main tasks:
1. Establishing a new relationship with the EU
If the EU does decide that the UK’s data protection regime is deemed ‘adequate’ when compared with the EU’s regime then the ICO will have a role in both maintaining that adequacy but also advising Government and others on the consequences of any changes to the UK’s data protection regime which may cause the EU to re-visit its assessment.
If the EU does not make such an adequacy decision, there will still be many UK businesses that want to send data to and from the EEA so the ICO will play an important role in supporting such businesses. The absence of such an adequacy decision may mean that ultimately the UK can be a bit more pragmatic, whilst maintaining high data protection standards, when it comes to international data sharing.
Last summer's decision of the Court of Justice of the European Union in Schrems II had already caused the European Data Protection Board (EDPB) and the EU Commission to issue new (draft) recommendations on ‘standard contractual clauses’ (SCCs) and on other considerations for businesses such as the surveillance regimes of the country where the business receiving the data is based.
The UK ICO issued a statement on 13th November 2020 to say it was reviewing the EDPB and EU’s recommendations. We await the conclusions of that review, but the data-bridge agreed as part of the ETCA probably does mean that the UK approach to SCCs is likely to remain close to the EU’s approach at least for the present. The ICO advises that, in the meantime, for a data transfer from the UK “.. UK controllers can continue to use the existing EU SCCs (valid as at 31 December)” – more detail on the ICO’s approach to SCCs now that the transition period has ended can be found here, and further information about personal data transfers post Brexit can be found in our updated briefing.
2. Setting up an adequacy decision process for non-EEA countries
The ICO will also have to finalise the UK's own adequacy assessment process which will be needed as the UK signs Free Trade and Trade Continuity Agreements with other non-EEA countries. Given the economic importance of international data flows it is very likely that these new agreements will have more to say on data than previous agreements. As we said in our summary note after our November 2020 International Data Flows webinar the new UK/Japan Free Trade Agreement is a good example of this. The UK has reached an agreement on data adequacy with Japan.
3. Helping to put the UK’s National Data Strategy, which will set the tone for the UK’s global data competitiveness, into effect
The third area will be broader policy work, in conjunction with the UK Government and particularly the Cabinet Office and Department for Digital, Culture, Media and Sport on the UK’s overall approach to data issues, including data protection, as part of the September 2020 National Data Strategy (NDS) and other expected publications such as the National Digital Strategy and a refreshed Industrial Strategy.
In the NDS, the UK Government said it wanted to maintain high data protection standards and acknowledged that it is important that the public trust what is happening with their data. One of the stated ‘missions’ is to secure a pro-growth and trusted data regime. The desire is to get the balance right between regulations which protect data, so the public has trust in how data, including personal data, is used whilst also supporting the use of data by innovators and entrepreneurs by ensuring any regime is not too burdensome. The aim is to maintain a data regime that supports UK objectives outside the EU and recognises that data protection laws will need to “remain fit for purpose amid rapid technological change.”
The ICO has developed a Regulatory Sandbox, to support organisations who are creating products and services which utilise personal data in innovative and safe ways. As stated on the ICO’s website “Participants will have the opportunity to engage with our Sandbox team, to draw upon our wider ICO expertise and advice on mitigating risks and embedding ‘data protection by design’”.
Non-Brexit work of the ICO
The Information Commissioner, Elizabeth Denham, published a blog at the end of January in which she looked ahead to the ICO’s other plans for 2021. Unsurprisingly, helping organisations to deal with data protection issues which arise while dealing with the pandemic remains the ICO’s top priority. The Commissioner has also invested a great deal of personal energy in the Age Appropriate Design Code and while we wait for the Government’s Online Harms Bill to be published the Code is an important step in protecting the privacy of younger users of online services including apps.
The ICO also expects to continue to produce guidance on issues such as data sharing, political campaigning, and the use of facial recognition technology as well as focussing on areas such as the use of Artificial Intelligence – for example, by publishing an AI risk toolkit which we will be covering at our forthcoming February 2021 webinar on Auditing Algorithms.
The Regulatory Sandbox, mentioned above, and grants to support innovative uses of data remain an important part of the ICO’s work.
Finally, the Commissioner herself has been asked to extend her term in office from the summer until October 2021 while her successor is appointed.
ICO publishes statutory data sharing code of practice
In December the ICO published a new data sharing Code of Practice. The new Code is published in accordance with s.121 of the Data Protection Act 2018 and sets out how data can be shared in compliance with relevant data protection law.
When sharing data, those following the Code must follow the key principles in data protection legislation namely:
- The accountability principle means that the organisation is responsible for its compliance, and must be able to demonstrate that compliance;
- It must share personal data fairly and transparently;
- It must identify at least one lawful basis for sharing data before any sharing begins; and
- It must process personal data securely, with appropriate organisational and technical measures in place.
Advice is also provided on why a data sharing agreement should be signed, what it should include and when it should be reviewed.
In launching the Code, the ICO said, “Data sharing is central to digital innovation in both the private and public sectors. It can lead to many economic and social benefits, including greater growth, technological innovations, and the delivery of more efficient and targeted services.” The ICO’s objective is to challenge some myths around what is and isn’t permissible in terms of data sharing and to find the right balance between that (noting that ‘sometimes it can be more harmful not to share data’) whilst protecting data privacy rights and maintaining public trust in data management.
However, although the Code clearly sets out legal ways in which data can be shared the ICO also points out that “there are other barriers to data sharing, including cultural, technical and organisational factors” presumably a nudge to the Government and others who will have a role to play as part of the implementation of the NDS.
Fines for data breaches
The ICO also has, and will continue to have, an enforcement function and in October it handed out two very large fines.
First, British Airways was given the ICO’s largest fine so far, of £20million for a breach of data protection laws. As the ICO stated their investigation, “…found the airline was processing a significant amount of personal data without adequate security measures in place. This failure broke data protection law and, subsequently, BA was the subject of a cyber-attack during 2018, which it did not detect for more than two months. [Our] investigators found BA ought to have identified weaknesses in its security and resolved them with security measures that were available at the time.” The ICO’s penalty notice sets out in detail the measures which the ICO expected BA should have taken to avoid the breach and to keep the personal data it held secure.
In late October the ICO fined Marriott International £18.4million finding that “… there were failures by Marriott to put appropriate technical or organisational measures in place to protect the personal data being processed on its systems, as required by the General Data Protection Regulation.”
Another interesting although much smaller fine in Autumn 2020 was levied against Ticketmaster. The ICO’s investigation found that Ticketmaster’s decision to include a chat-bot, hosted by a third party, on its online payment page allowed an attacker access to customers’ financial details and that the company had failed to put appropriate security measures in place to prevent a cyber-attack on the chat-bot. This failure to protect customer information was a breach of the GDPR.
In future the ICO won't have to use the consistency mechanism with other European regulators to set fines for breaches of UK GDPR. However, the ICO is likely to continue to take the same view of those controllers and processors which suffer data breaches because they failed to put in place basic and fundamental cyber security processes and mechanisms, as it has done to date. The ICO is therefore very unlikely to take a more lenient approach, particularly considering its recent Regulatory Action Policy published in 2020, and its renewed focus on strong accountability and the ability to demonstrate it, as evidenced in the release of its Accountability Framework last Autumn.
Nevertheless, the BA and Marriott fines did demonstrate that factors such as acting promptly in notifying the ICO and affected data subjects when you first become aware of a breach, taking immediate measures to mitigate and minimise damage to data subjects, swiftly implementing remedial measures, and full co-operation with the ICO, should contribute towards a reduction in the penalty figure which the ICO arrives at; the eventual amounts of the fines levied last Autumn, were considerably lower than the figures first indicated in the ICO's intention to fine announcements made in July 2019. So too, does mounting a strong challenge where it is clear that ICO methodology can be questioned, especially given that setting penalties for breach of GDPR is still, relatively new territory.
Travers Smith engagement with the ICO
The BA and Marriott actions have laid the groundwork in demonstrating that it is worth mounting a robust appeal when faced with enforcement action by the ICO; and we now know the sorts of factors which are likely to hold sway. Travers Smith is well placed to help any business which wants to look at its options in this regard; as a firm we have a wealth of experience in successfully appealing regulatory fines, and our data protection specialists provide pragmatic, commercial interpretation of data protection law, including helping businesses respond swiftly to data breaches and in accordance with regulatory requirements.