Sectoral codes of conduct to play a useful compliance role
The UK continues its path of developing its national data protection law in parallel, but not necessarily identical, with the GDPR. There are strong arguments in favour of a consistent approach between the UK and the European Economic Area Member States so that organisations can operate with the same policies and practices in all these jurisdictions. Examples are adtech and codes of conduct.
While no EU-wide codes of conduct have yet been adopted, the UK’s charity sector would benefit from having a code approved by the ICO. Following a code would give charities confidence in their compliance and an increased sense of awareness of what the ICO expects of them.
Regardless of political difficulties of conducting the Brexit negotiations, a well written value-added charity code of conduct, consistent with the GDPR, could be the basis for one which operates at EU level or indeed internationally. This was the path of the UK’s data security standard which developed into the internationally recognised ISO/IEC 27001 Information Security Management Standard. DPA resources are scarce for detailed sectoral work so a UK charity code of conduct model might be welcome by other national DPAs on the European Data Protection Board.
We at PL&B are keen to help charities prepare for a code of conduct. A good starting point for any organisation to prioritise its data protection issues is PL&B’s new Data Protection Law Clinic.
ICO’s investigation of Clearview AI Inc indicates its international stance
While UK-EU Brexit negotiations continue quietly with little to announce so far from the data protection perspective, the ICO is taking a more internationalist stance. The ICO announced on 9 July that it will open a joint investigation with Australia’s DPA into the personal information handling practices of Clearview AI Inc., focusing on the company’s use of ‘scraped’ data and biometrics of individuals.
Reflecting the fact that Elizabeth Denham, Information Commissioner, is the Chair of the Global Privacy Assembly, the ICO is choosing to work with a non-European country on this Clearview investigation, as it did with Canadian DPAs on the Facebook/Cambridge Analytica investigation. However, both parties have left the door open to cooperate with other DPAs, as the issues are similar in every country. Accordingly, the ICO states “The OAIC and ICO will engage with other data protection authorities who have raised similar concerns, where relevant and appropriate.” As Clearview has announced that it also provides its services to financial services companies and retailers, the focus in other countries could be on different sectors. The investigation highlights the importance of enforcement cooperation in protecting the personal information of Australian and UK citizens in a globalised data environment, the ICO says.
In its 9 July announcement, the ICO refers to the Global Privacy Assembly’s initiative, the Global Cross Border Enforcement Cooperation Arrangement. This group of 11 jurisdictions, including some European countries, would be ideal for conducting this type of investigation. But one reason for the ICO working specifically with Australia is that the ICO has a Memorandum of Agreement with the Office of the Australian Information Commissioner (OAIC) which both signed in January this year.
While the pandemic continues to dominate data protection law issues (pp. 9,10, 22), there are now signs that more traditional privacy law agenda items (pp.22, 23) are again demanding our attention.
Regards,
Stewart Dresner, Publisher
UK Report 110
Lead stories:
Beyond adequacy – Brexit’s wider data privacy implications
Rebecca Cousin and Cindy Knott of Slaughter and May discuss the challenges ahead, and how organisations can best prepare.
Achieving a privacy-first Adtech digital marketing strategy
Brands face pressure to protect privacy in their digital marketing activities. It’s not coming from the ICO, but from the market. By Abigail Dubiniecki of Strategic Compliance Consulting Ltd.