Sectoral codes of conduct to play a useful compliance role



The UK continues its path of developing its national data protection law in parallel, but not necessarily identical, with the GDPR. There are strong arguments in favour of a consistent approach between the UK and the European Economic Area Member States so that organisations can operate with the same policies and practices in all these jurisdictions. Examples are adtech (p.1) and codes of conduct (p.20).

While no EU-wide codes of conduct have yet been adopted, the UK’s charity sector would benefit from having a code approved by the ICO. Following a code would give charities confidence in their compliance and an increased sense of awareness of what the ICO expects of them.

Regardless of political difficulties of conducting the Brexit negotiations (p.15), a well written value-added charity code of conduct, consistent with the GDPR, could be the basis for one which operates at EU level or indeed internationally. This was the path of the UK’s data security standard which developed into the internationally recognised ISO/IEC 27001 Information Security Management Standard. DPA resources are scarce for detailed sectoral work so a UK charity code of conduct model might be welcome by other national DPAs on the European Data Protection Board.

We at PL&B are keen to help charities prepare for a code of conduct. A good starting point for any organisation to prioritise its data protection issues is PL&B’s new Data Protection Law Clinic.

ICO’s investigation of Clearview AI Inc indicates its international stance

While UK-EU Brexit negotiations continue quietly with little to announce so far from the data protection perspective (p.1), the ICO is taking a more internationalist stance. The ICO announced on 9 July that it will open a joint investigation with Australia’s DPA into the personal information handling practices of Clearview AI Inc., focusing on the company’s use of ‘scraped’ data and biometrics of individuals.

Reflecting the fact that Elizabeth Denham, Information Commissioner, is the Chair of the Global Privacy Assembly, the ICO is choosing to work with a non-European country on this Clearview investigation, as it did with Canadian DPAs on the Facebook/Cambridge Analytica investigation. However, both parties have left the door open to cooperate with other DPAs, as the issues are similar in every country. Accordingly, the ICO states “The OAIC and ICO will engage with other data protection authorities who have raised similar concerns, where relevant and appropriate.” As Clearview has announced that it also provides its services to financial services companies and retailers, the focus in other countries could be on different sectors. The investigation highlights the importance of enforcement cooperation in protecting the personal information of Australian and UK citizens in a globalised data environment, the ICO says.

In its 9 July announcement, the ICO refers to the Global Privacy Assembly’s initiative, the Global Cross Border Enforcement Cooperation Arrangement. This group of 11 jurisdictions, including some European countries, would be ideal for conducting this type of investigation. But one reason for the ICO working specifically with Australia is that the ICO has a Memorandum of Agreement with the Office of the Australian Information Commissioner (OAIC) which both signed in January this year.

While the pandemic continues to dominate data protection law issues (pp. 9,10, 22), there are now signs that more traditional privacy law agenda items (pp.22, 23) are again demanding our attention.

Regards,

Stewart Dresner, Publisher

 

UK Report 110

Lead story:

Beyond adequacy – Brexit’s wider data privacy implications

Rebecca Cousin and Cindy Knott of Slaughter and May discuss the challenges ahead, and how organisations can best prepare.

Contents also include:

  • Comment: The unexpected consequences of the pandemic
  • Achieving a privacy-first Adtech digital marketing strategy
  • Regulating biometrics post-Covid?
  • What’s in store for contact tracing apps in the UK?
  • AI and the transparency challenge
  • Courts will not go back to where they were pre-pandemic
  • A Code of Conduct for the charities sector – a possibility?
  • Achieving a privacy-first Adtech digital marketing strategy
  • Security risks from home working
  • ICO issues guidance on workplace virus testing
  • UK responds to EDPB concerns over its adequacy application
  • Babylon Health data breach
  • TechUK, NLdigital stress that seamless data transfers are crucial
  • EU-UK Brexit negotiations: GDPR rules still apply
  • Pubs, restaurants asked to help track customers
  • GDPR review calls for better handling of cross-border cases
  • EU issues update on Brexit talks and adequacy
  • Easyjet faces a UK ‘class action’
  • Legal challenge to Test and Trace
  • Guidance on data retention