Welcome to the February 2022 edition of the Privacy Points newsletter from Ashfords LLP’s Privacy Team.
2022 is already shaping up to be an influential year for data protection. A new contractual mechanism for data transfers has already been presented to Parliament for adoption in March, and we may well see some further reforms to the UK’s data privacy regime following last year’s consultation by the Department for Digital, Culture, Media and Sport (the “DCMS”).
As we progress into 2022, it is also important to look back at last year, which itself featured a number of significant shifts, including:
We have included below a selection of last year’s major topics, as well as a flavour of things to watch in the year ahead.
In October 2021, the ICO’s Data Sharing Code of Practice (the “Code”) came into force. The Code is designed to resolve misconceptions around data sharing relationships, including requirements for agreements between two or more controllers (for which the UK GDPR does not set out a list of prescribed provisions). Uncertainty around legal requirements has led to organisations being hesitant to share personal data due to fear of non-compliance.
In November 2021, judgment was given in the case of Lloyd v Google LLC [2021] by the Supreme Court. The case related to a claim against Google for installing cookies on iPhones without the users’ knowledge or consent; those affected theoretically numbered in the millions.
Following the UK’s withdrawal from the EU at the start of 2021, the UK was left with a bridging period during which data flows could continue unhindered between the EU and the UK. Without this bridging period, the UK would have been considered a third country for data transfers – this would have resulted in restraint on data flows between the two jurisdictions. Towards the end of the bridging period, the EU issued an Adequacy Decision, confirming that the UK’s data protection regime is sufficiently equivalent to the EU’s regime.
The ICO introduced the Children’s Code (the “Code”) in September 2020. It establishes a code of practice to protect children’s digital privacy, acknowledging that children’s personal data should be afforded additional protection, whilst ensuring that children receive “best possible access” to the internet in the UK. Any persons under the age of 18 are “children” for the purpose of the Code.
In February of this year, the DCMS placed a new set of documents before Parliament – the International Data Transfer Agreement (the “IDTA”), an International Data Transfer Addendum to the EU’s revised standard contractual clauses (the “UK Addendum”), and supporting transitional provisions.
The USA has not been granted an Adequacy Decision by either the UK or the EU. Until 2020, the Privacy Shield scheme served to legitimise data transfers from the UK or EU to the USA, for organisations certified by Privacy Shield. However, following the much publicised Schrems II decision, the Privacy Shield scheme was ruled inadequate.
Over the past several years, the Home Office has begun to push for stronger controls regarding end-to-end encryption (‘E2EE) in particular for social media apps such as WhatsApp or Signal. Recently, the debate has begun to intensify, as the scales are weighed between freedoms and safety.
We have also held a number of data protection webinars throughout the past year, covering a diverse number of topics. Our recordings can be accessed through the Ashfords LLP Youtube channel, or via direct links below:
If you would like more information on the above, please contact the Data Protection team. If you would like to receive our bulletins on a regular basis, please click here.
