Clarkslegal Law Bites

UK Data Protection: Development round-up 2022 and 2023 trends

Clarkslegal

In this podcast Ciara Duggan and Oscar Poku members of the Data Protection team at Clarkslegal discuss the main developments in the UK Data Protection scene from 2022 and what trends to look out for in 2023.

Key developments of 2022

  • Implementation of the International Data Transfer Agreement and update to Transfer Risk Assessments
  • The Data Protection and Data Information Bill
  • New guidance on the UK BCRs
  • Cybersecurity and data breaches

What to look out for in 2023

  • Data protection reform
  • Regulation of AI
  • Development of the metaverse
  • UK ‘adequacy’ status review

If you have any questions in relation to Data Protection, please contact our Data Protection lawyers for advice.





Oscar Poku 00:03

Hi, my name is Oscar, and I’m joined by my colleague Ciara today. We’re members of the Clarkslegal Data Protection Team. And on today’s podcast, we will be reviewing two things, firstly we will be looking at the main developments in the UK Data Protection scene from 2022 and secondly we will look at what trends to look out for in 2023.

I would like to begin this podcast with a question for my colleague. Would you agree that there was lot going on in 2022 in the data protection world?

Ciara Duggan 00:33

I would agree with that assessment. In March 2022, the international data transfer agreement came into force, which is an agreement that covers  situations where UK-based organisations export personal data to third party countries such as the USA, these countries are not covered by an adequacy decision. Later in the year, we also witnessed updates that were made to transfer risk assessments or TRAs. At the same time,  new guidance on UK binding corporate rules or UK BCRs was issued. In addition to that we have also seen an increase in the number of cybersecurity and data breaches and it’s interesting to see the types of enforcement by the regulator. However, it seems the data protection and digital information bill made most headlines because how seeks to evolve the UK’s data protection regime. We understand that the UK Government wanted to apply an outcomes/’risk-based’ approach to simplify the process but we are still waiting for further details on what this will look like. 

Oscar Poku 01:28

Thank you very much. In today’s podcast we will discuss all these topics mentioned above and how they impact the UK data protection scene.  

Ciara Duggan 01:37

What about 2023? Is there anything we can look forward to when it comes to data protection? 

Oscar Poku 01:42

Yes there is. I hope you are all familiar with the phrase new year new me because as each year passes, there are more things to look forward to in your life. This mantra also applies to the data protection scene in the UK.

Ciara Duggan 01:54

That’s true. In 2023, we are looking forward to data protection reforms, the regulation of AI, the development of the ever popular metaverse and the UK’s adequacy status review. If you are interested in how your personal data is governed, I urge you to sit back, relax and enjoy today’s topics. 

So Oscar, what is the first topic for discussion today? 

Oscar Poku 02:13

I think we should begin with how data is transferred internationally from the UK to ‘third’ party countries and multinational companies or enterprises and the new guidance on Binding Corporate Rules in the UK. In today’s complex digital age, information travels from one border to next border with ease. Therefore our digital footprints does not stay in one place. 

Ciara Duggan 02:35

That’s true. However, there are systems in the UK that regulate the transfer of data internationally. Some of you will already be familiar with these data protection systems that protect our personal data when they cross international borders. We are of course talking about the UK’s adoption of the EU’s General Data Protection Regulation, which are better known as the UK’s GDPR. 

Oscar Poku 02:57

The UK’s GDPR mandates that data can only be transferred outside the UK if the transfer is based on various transfer mechanisms. These include international data transfer agreements also known as IDTAs and UK Binding Corporate Rules also known as UK BCRs. Most organisations in the UK deal with international data transfer requests to third party countries and multinational companies. Most of these requests will not be covered by an adequacy decision. As a result, it is important for organisations in the UK to abide by these transfer mechanisms to avoid risks involved with the international transfer of personal data outside the UK’s borders. To understand the implementation of international data transfer agreements, we must first consider the safeguards that were in place before Brexit. 

Ciara Duggan 03:46

Prior to Brexit, UK organisations had to rely on the EU’s Standard Contractual Clauses or SCCs. SCC’s aided data transfers from EU member states to non-EU countries and ensured that there were safeguards in place to protect data being transferred to third party countries. With the UK’s departure from the EU and following the judgment in the Schrems II case, changes made to the SCC regime by the European Commission no longer applied to the UK. These new changes mean that the old SCC regime adopted by the UK is outdated. As a result, the UK introduced the International Data Transfer Agreement the IDTA as we have mentioned before and a new addendum to the EU’s new Standard Contractual Clauses was adopted in order to aid in the international transfer of data outside the UK. 

Oscar Poku 04:32

In practice, the introduction of IDTA’s provides safeguards for UK organisations handling international data transfer to third party countries. UK organisation must now rely on the use of IDTA’s or the new Addendum to the EU’s new SCC to deal with the international transfer of data to third party countries. When using an IDTA, the agreement will be a standalone document that can complement a data sharing agreement which allows for the transfer of data between the sender and recipient of this personal data. In addition, the UK Addendum was implemented to be used alongside the EU’s SCC. It can also be used when the international transfer of data is subject to both UK and EU Data Protection Laws. Organisations must make sure that these documents are signed before the transfer of any personal data to third countries to ensure that adequate safeguards are in place.

Ciara Duggan 05:30

In addition to all of this, UK organisations will be required to undertake a transfer risk assessment the TRA, which is a requirement under the UK’s GDPR. On 17 November 2022, the ICO updated the guidance on TRA’s. The TRA exists to make sure that data subjects who are affected by the cross-border transfer of data, receive the necessary level of protection under UK Data Protection Laws. 

Is there anything that organisations should be doing in light of IDTA and the UK Addendum?

Oscar Poku 06:00

Yes I think so and thank you for the question. Yes it is important for organisations to conduct an audit to check where they may have data flows which would be international transfers of data. This means that organisations can better understand what data protection mechanisms they need in place to remain compliant with the UK data protection legislation. Organisations also need to conduct a TRA to make sure decisions on what the appropriate transfer mechanism whether it be an IDTA or UK Addendum, is used when dealing with the transfer of data to third party countries. 

Do you know of any other transfer mechanisms in place to deal with the international transfer of data? 

Ciara Duggan 06:41

The UK’s Binding Corporate Rules or the UK BCRs also deal with the transfer data but they deal with transfers within multinational companies or groups of enterprises. UK BCRs are legally binding and enforceable internal rules or policies which can be used by UK based controllers or processors to transfer data to non-UK based controllers within multinational companies or groups of enterprises.  

Oscar Poku 07:04

I have got a question. Do UK BCRs differ from IDTAs or can they be used simultaneously to do the same thing?

Ciara Duggan 07:13

Well, one can argue that BCRs focus on data transfer within multinational companies or groups of enterprises usually that are involved in joint economic activity such as franchises, joint ventures, or professional partnerships. So it seems, it is more suitable for UK companies to rely on BCRs when dealing with data transfers that involve multinational companies. In contrast, the IDTA deals with personal data that is transferred from the UK to third party countries, such as the USA.

Oscar Poku 07:39

Furthermore UK BCRs were considered as the gold standard because they had to be approved by a regulator.

Ciara Duggan 07:45

So, if it is considered as the gold standard, why has the ICO issued new guidance and rules and when it comes to BCRs? 

Oscar Poku 07:51

There can be many reasons for these changes. Historically, the process of UK BCRs has been costly and time consuming. Therefore, simplifying the process seeks to benefit multinational companies when using UK BCRs. 

Ciara Duggan 08:04

So, what’s changed? 

Oscar Poku 08:06

Some of the fundamental changes include the simplification of application forms and modifications to the approval process through the revision of the referential table. Consequently, under the new ICO guidance, a UK BCR will be shortened to include; an application form plus completed referential tables, a binding instrument that makes UK BCRs enforceable both internally and externally by third party data subjects. Lastly a BCR policy document that will be made publicly available to inform data subjects about how the new UK BCR affects their data and rights.

Ciara Duggan 08:46

Both the IDTAs and the UK BCRs are evidence of the UK government’s plan to simplify the process in handling  personal data by adopting an outcomes/’risk-based’ approach, rather than a prescriptive process which had administrative burdens for organisations. 

Oscar Poku 09:02

Thank you. Following on from IDTA and UK BCR’s we must address the Data protection and Digital Information Bill. This bill was introduced on 18th July 2022 and aims to update and simplify the UK’s Data protection regime after Brexit. Some of the legislation that will be amended under the bill include the UK GDPR, the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations from 2003. While the bill proposes major changes, it is important to note it will build on existing data protection legislation in the UK such as our own GDPR legislation. 

Ciara Duggan 09:48

So, lets looks at some of the proposals in the bill. One of the main proposals that made headlines is the amended definition of personal data. Before we consider the bill’s proposal do you want, do you want to give a brief explanation of what personal data is? 

Oscar Poku 10:01

Yes no problem. Just like its name, personal data is information that relates to identifiable individual. In other words, it is information that specifically relates to the data subject. It may include name, number, or an IP address. Therefore, if it is possible for the controller or processor of personal data to identify an individual from the information, even in instances where there is an absence of a name, they are handling information that is considered personal data. 

Ciara Duggan 10:31

Yes, the new proposals in the bill seek to amend the definition of personal data by limiting this previous definition to focus on the knowledge of the controller or processor and  therefore, under the new bill, if information is identifiable by a controller or processor by reasonable means at the time of processing, it will constitute personal data. Another consideration is that if the controller or processor ought to have known that another person will likely obtain the information because they were processing it and that the individual will most likely be identified by that person by reasonable means at the time of processing.

Yes the new proposals in the bill seek to amend the definition of personal data by limiting the previous definition to focusing on the knowledge of the controller or processor and therefore under the new bill. If information is identifiable by a controller or processor by reasonable means at the time of processing it will constitute personal data. 

Another consideration the new definition takes into account is whether the controller or processor ought to have known that another person will likely to obtain the information because they were processing it and that the individual will most likely be identified by that person by reasonable means at the time of processing.

Oscar Poku 11:42

Does this mean the responsibility of protecting my data or your data is solely in the hands of the controller or processor of personal data.

Ciara Duggan 11:51

Yes it does, the burden to protect the personal data will rely on the controller or processor, and persons who are likely to receive the information, rather than anyone in the world.

Oscar Poku 12:00

What about data subject access requests? Does the bill make any proposals? If so, how will the proposals affect organisations that deal with such requests?

Ciara Duggan 12:10

That’s a good question and before I answer that, let us quickly refresh our memories on data access subject requests or DASR. Under UK data protection law, individuals have the right to access to their personal data that organisations hold about them. However, complying with these requests can be very complex and burdensome task. As a result, the bill wants to bring changes to data subject access requests by changing the threshold for either charging a reasonable fee or refusing to comply with a request. It aims to change the threshold from ‘manifestly unfounded or excessive’ to ‘vexatious and excessive’. 

Oscar Poku 12:46

Can you please explain was vexatious means? 

Ciara Duggan 12:48

The concept of vexatious and excessive is not new in UK. For instance, one can find traces of the concept in the Freedom of information act. According to ICO, “whether a request is vexatious or not, will ultimately depend upon the circumstances surrounding that request. “In the context of DSARs, organisations will also have to determine if the “vexatious” threshold is satisfied.

Oscar Poku 13:10

Another interesting proposal in the bill surrounds the use of automated decision making. The main issue that was posed was the extent to which human oversight is needed in automated decision making by AI. Under current data protection laws, we all have a right "not to be subject to a decision based solely on automated processing." However, it seems we are not always clear on what this means. Therefore, the new bill will seek to amend existing provisions and include a right to human intervention when an automated decision making system uses personal data to make a decision. However, the right to human oversight will only apply to significant decisions rather than decisions that produce legal effects or similarly significant effects. 

While the bill makes bold proposals, the enforcement of the proposals will also be key. Without adequate enforcement protocols, such proposals will not be effective. The bill recognises this and would give powers to the ICO to question either a controller or processor of data when there is a breach of data protection law. 

Ciara Duggan 14:18

We have reviewed data protection developments in 2022, however, do we know what’s in store for 2023 for the UK data protection landscape? 

Oscar Poku 14:26

While it is difficult to decipher how the data protection scene in the UK will look like in 2023, however there are some key topics that will likely make headlines this year. One of the most exciting headlines will be the development of the metaverse and regulation Artificial Intelligence. Our webinar issued in November 2022 touches upon these topics.

Ciara Duggan 14:48

I often hear a lot about the metaverse, but can you explain what it means? 

Oscar Poku 14:52

Yes so, the metaverse can be described in various ways, but in general terms, it is a set of digital spaces or virtual spaces that seeks to transform human social connection by allowing individuals to connect with one another even if they are not physically in the same place. It allows users to communicate with each other in a virtual world through their created avatars and virtual reality glasses. However, there is more to the metaverse. The metaverse aims to be more than just a set of digital spaces. The metaverse also wants to incorporate elements of our real and physical world in its virtual space. For instance, in the metaverse, you can work, shop, learn and connect with others as you would in real life.

The Development of the Metaverse and the constant evolution of Artificial Intelligence, will trigger regulation and data protection in such areas. 

Ciara Duggan 15:48

We have already seen this through the government’s AI Regulation Policy Paper which considers six AI governance principles. It seems like the UK government’s approach has been to make enquiries with regulators in the AI space and then us their answers to explain and implement principles that will aid how the UK regulates AI going forward.

Some of theses principles are as follows; 

-       Ensuring the safe use of AI through a context based approach when assessing the risk involved in the use of AI. 

-       Making the use of AI fair or embedding considerations of fairness into AI to minimise the likelihood of AI bias in sectors like employment 

-       Ensuring there is accountability for the outcomes of AI systems by making sure there is identifiable legal person. 

Oscar Poku 16:30

To ensure these principles in the policy paper are actioned, the government has identified the following bodies as regulators: The ICO, Competition and Markets Authority also known as the CMA, Ofcom, Medicine and Healthcare Regulatory Authority also known as MHRA, and Equality and Human Rights Commission.

For businesses, to rely on the use of AI, it is vital to identify who is responsible for AI governance and strategy within the organisation. This allows them to review AI strategy within the organisation. Most importantly, this will help businesses review the proposed principles and see how they can help ensure the effective use of AI in the UK.

In regard to the metaverse, AI plays a crucial role in its development. As a result, if the government can ensure a safe regulatory regime for AI, we can see a further acceleration in the development metaverse in employment, real estate and several other sectors. 

Ciara Duggan 17:31

I read basically that you are allowed to buy real estate in the metaverse. Is this true? 

Oscar Poku 17:37

Yes indeed, you can purchase virtual real estate in the metaverse. This will be a “programmable spaces where people can connect to buy, sell or rent their virtual properties using metaverse tokens or cryptocurrency”. The process will mirror some of real world formalities involved in purchasing real estate. One of the main ones being a virtual title number that proves ownership.

However, we are still in the early stages of the metaverse and we are anticipating that there will be new jurisdiction-specific rules in relation to data and how this data is processed and transferred in the metaverse.

Ciara Duggan 18:14

All this talk of AI and the metaverse are great examples of the constant evolution of technology. For the UK to benefit from this, it’s clear that we will need ata protection reform in these areas. However, a consistent approach will need to be taken by regulators and businesses to ensure that such data reforms have high standards and comply with the EU’s data protection regime. This is particularly important as the EU continues to monitor the UK to check whether it can maintain its ‘adequacy’ status.

Oscar Poku 18:41

Can you briefly explain what an adequacy status is? 

Ciara Duggan 18:45

This is the level at which the EU deems the level of data protection provided by countries outside the union to be “essentially equivalent” to the protection provided by the EU. As a result, any reform made by the UK will be closely reviewed by the EU ahead of their 2025 review. If the UK data protection regime deviates significantly from the EU data protection regime, there is risk of this impacting the UK’s “adequacy” status and this will therefore impact whether the safeguards the UK has in place are sufficient to protect personal data.

Oscar Poku 19:16

So, overall, it looks to be an interesting year of data protection developments with potential significant changes to the UK’s data protection regime. If you need any advice in relation to any of the points mentioned, please do not hesitate to contact a member of our data protection team who will be happy to assist.

Thank you for listening and we hope that you enjoyed the podcast.