New Data Protection Bill should help reset the UK’s relationship with the EU
With the new Labour government’s announcement of the Digital Information and Smart Data Bill, some changes should be expected to the UK’s data protection law regime. But other aspects are likely to resemble the previous Conservative government’s Data Protection and Digital Information Bill.
A legislative timetable has not been announced. But most importantly from your organisation’s strategic perspective is the new government’s determination to reset the UK‘s relationship with the European Union. While the new government has ruled out rejoining the EU Single Market or the EU Customs Union, it lacks the former government’s rigid Brexit stance and is already speaking about resetting its relationship with the EU by entering closer relationships with the EU where there are mutual benefits.
The economic context is bound to have an impact on the politics of data protection. The independent Office for Budget Responsibility stated as of 1 May this year “The post-Brexit trading relationship between the UK and EU …. will reduce long-run productivity by 4% relative to remaining in the EU.” Secondly: “Both exports and imports will be around 15% lower in the long run than if the UK had remained in the EU.”(1)
International trade in services often has a personal data component, as in banking and insurance. It is within the bounds of possibility, in my view, that the new government will be keener than the previous Conservative government not to antagonise the EU by taking reform of the UK’s data protection law close to the red lines endangering the UK’s EU adequacy status.
With some of the UK officials responsible for liaising with the European Commission able to draw on previous constructive relationships with their counterparts, business fear of the UK losing its adequacy status is now receding. We at PL&B will follow these developments closely and keep you informed.
The role of Privacy Architects
For the first time we feature in this edition a new job title, Privacy Architects and explain the thinking behind it. The authors explain: “It may be a designated position or a role that privacy engineers, officers or lawyers take on in certain contexts.” The core of the approach is “Privacy professionals are there to work with … stakeholders, not against them.”
Ofcom’s TikTok fine
I expect that this type of thinking lay behind TikTok’s acceptance of a substantial £1.875 million fine by Ofcom, announced on 24 July. The fine was based on Ofcom’s powers under the Communications Act 2003 relating to issues including governance and transparency. Despite this Ofcom action not referring to data protection law, data protection law principles are related and relevant to the ICO’s priority campaign to protect children.
As a result, Ofcom's published decision makes recommended reading for any company providing video-sharing, gaming and other online services, for example:
- “Ofcom notes that the penalty would have been significantly higher had TikTok not self-reported the contravention, co-operated closely with our investigation and proactively taken steps to improve its internal processes following discovery of the issue.”
- “There is no evidence that the breach occurred deliberately or recklessly, and we have no reason to believe TikTok made any gain, financial or otherwise, as a result of the contravention.”(2)
Company management had to assess the advantages and disadvantage of appealing this fine and decided not to do so. As a result, Ofcom announced that it had reduced the fine by 25% because TikTok had accepted Ofcom’s findings and accepted full liability.
At this stage, it is not clear on the level of management (national, European or global) which took this decision. But usually, companies in this situation, claim mitigating circumstances, do not accept liability and dispute the level of the fine.
Why did TikTok not take this line? It could have taken into account its national or global reputation. It could well be that broader business challenges meant that management did not want to take on too many regulators at one time. In other words, there may have been a consideration beyond the facts of this case, and the skills of a privacy architect were brought to bear in this situation.
With TikTok’s data protection team integrated into its data public policy team, considerations of its overall business strategy must have played an important part in the decision not to fight the case. The ICO’s membership of the Digital Cooperation Regulation Forum, chaired by John Edwards, the UK’s Information Commissioner, was an advantage for TikTok in this case. It means that Ofcom’s decision would settle the matter, shut down this case, and not let it erode the company’s public posture into the future.
Conference videos now available
John Edwards explained his position on regulatory cooperation at PL&B’s July conference. Both the highlights videos and full length videos are now all available.
The year ahead is likely to produce changes to the UK’s data protection regime and PL&B UK Report will help you not only be informed, but also to become involved in the process, if you wish.
Best regards,
Stewart Dresner
Publisher, Privacy Laws & Business
REFERENCES |
|
September 2024
News & Blogs |
September 2024 Report Contents |
Next |