Data law | UK Regulatory Outlook October 2024

UK government publishes Data (Use and Access) Bill

The UK government has published its much-anticipated draft data legislation, the Data (Use and Access) Bill. The bill is about a lot more than data protection, standardising information sharing across the NHS or (potentially) removing (some) barriers to the implementation of AI systems. It encourages data use across sectors, including for example by creating a framework for smart data schemes, introducing a certification framework for digital identity verification systems; and by changes to UK data protection laws.

See our Insight which provides an overview of the key provisions of the bill.

Updates from the European Data Protection Board

During its latest plenary in October 2024, the European Data Protection Board (EDPB) adopted its work programme for 2024-2025 alongside a number of other documents – we provide an overview below.

EDPB work programme 2024-2025

The EDPB's work programme is structured under four pillars: enhancing harmonisation and promoting compliance; reinforcing a common enforcement culture and effective cooperation; safeguarding data protection in the developing digital and cross-regulatory landscape; and contributing to the global dialogue on data protection.

Enhancing harmonisation and promoting compliance

Key actions include:

• the development of further guidance on key issues and concepts, including anonymisation, pseudonymisation, legitimate interest, children's data, "consent or pay" models, processing of data for scientific research purposes, data subject right of access under the Law Enforcement Directive, passenger names records, and age verification criteria; and
• supporting the development and implementation of compliance measures for controllers and processors, including issuing opinions on: accreditation requirements for monitoring bodies of codes of conduct and for certification bodies, codes of conduct and on certification criteria, including the European Data Protection Seal.

Reinforcing a common enforcement culture and effective cooperation

The EDPB will further strengthen efforts to ensure effective enforcement of the GDPR and cooperation between the members of the EDPB.

Safeguarding data protection in the developing digital and cross-regulatory landscape

The EDPB plans to create common positions and guidance in the cross-regulatory landscape, including:

• separate guidelines on the interplays between EU data protection law and the EU AI Act, the Digital Services Act and the Digital Markets Act;
• a position paper on the interplay between EU data protection and competition law;
• guidelines on processing to target or deliver political advertisements,
• guidelines on transfers of personal data in the context of transfers of crypto assets; and
• a document on anti-money laundering and countering financing of terrorism requirements.

It also plans to monitor and assess new technologies, with the development of guidance to promote a human-centric approach to topics, including:

• guidelines on generative AI (data scraping), telemetry and diagnostic data, blockchain and the use of social media by public bodies; and
• a document on mandatory user accounts on online shopping websites.

Contributing to the global dialogue on data protection

This includes the work on the GDPR and LED data transfer mechanisms and their practical implementation, as well as strengthening cooperation between EDPB members and non-EU data authorities.

EDPB adopts opinion on aspects of the relationship between controllers and their processors/sub-processors

The EDPB has adopted an opinion on the interpretation of certain obligations of controllers that rely on processors and sub-processors, arising in particular from article 28 of the GDPR, as well as the wording of controller-processor contracts. It addresses processing in the European Economic Area (EEA), as well as processing following a transfer to a third country.

It concludes, among other things, that:

• A controller should have the information on the identity (that is, name, address, contact person) of all processors and sub-processors readily available at all times.
• A controller has always to verify whether its processors and sub-processors have given "sufficient guarantees" that the processing is compliant, and this applies regardless of the level of risk. However the extent of verification varies with the level of risk.
• The decision on whether to engage a specific sub-processor and the responsibility for them, including with respect to verifying the guarantees, remains with the controller, but it is not mandatory for the controller to itself see copies of the chain of sub-processor contracts; it depends on the risk level.
• In relation to the wording of controller-processor contracts, article 28(3)(a) of the GDPR states that a processor can process personal data only on the controller's "documented instructions" unless the processor is "required to [process] by Union or Member State law to which the processor is subject". The opinion states that it is not mandatory to include this latter carve out wording (or something very similar), but it is highly recommended. The EDPB goes on to say that the generic alternative wording (also frequently used in practice): "unless required to do so by law or binding order of a governmental body", which could be interpreted to include non-EEA local law (especially where the processor is based outside the EEA) is acceptable where the processor is based within the EEA but may be problematic where personal data is processed outside the EEA – see below.
• For personal data transferred outside of the EEA, the EDPB considers that the addition of the above carve out wording is, in itself, unlikely to comply with article 28(3)(a). Instead the contract should distinguish between the third country law(s) which would undermine the level of protection guaranteed by the GDPR and those that would not. Additional measures should apply in each case and the contract should specify that third country law does not release the processor from its obligations under the GDPR.

For controllers looking to encourage their processors to take more seriously the obligation to disclose and keep up to date their list of sub-processors (which can be an onerous obligation and one that processors often seek to dilute), this opinion may provide additional ammunition. However, the more detailed analysis and recommendations around article 28(3)(a) are less likely to be impactful in the short term.

EDPB consults on guidelines for processing on legitimate interest basis

The EDPB has published for consultation draft guidelines on processing of personal data based on article 6(1)(f) of the GDPR (legitimate interest). 

These guidelines analyse the criteria in article 6(1)(f) of the GDPR that controllers must meet to lawfully engage in the processing of personal data based on the legitimate interests of the controller or a third party. The draft guidelines provide a detailed analysis of how these criteria are to be met and the challenges encountered in practice, including how to determine whether the processing is "necessary", what kinds of legitimate interest are applicable, and how to conduct the legitimate interests balancing test.

The guidelines also explain the relationship between the legitimate interests ground and a number of data subject rights under the GDPR.

The deadline for comments is 20 November 2024. 

EDPB statement on the draft regulation laying down additional procedural rules for the enforcement of the GDPR

The EDPB has published a statement on the recent legislative developments on the draft regulation laying down additional procedural rules for the enforcement of the GDPR (see this Regulatory Outlook for background).

In its statement, the EDPB sets out, among other things, recommendations to streamline cooperation and improve enforcement of the GDPR.

In addition, the EDPB highlights that including many references to national law in the new regulation would not be in the spirit of increased harmonisation and should therefore be avoided.

EDPB announces topic for 2025 coordinated action

The EDPB has chosen the topic for its fourth coordinated enforcement action (CEA), which is the implementation of the right to erasure (right to be forgotten) by controllers. The action will be launched in the first quarter of 2025. This means that the EDPB will prioritise the right of erasure as a specific topic for data protection authorities to work on at national level, including by analysing and comparing the processes put in place by different controllers, in order to identify the most important compliance issues and get an overview of best practice. (In 2024, the EDPB's CEA is focusing on the implementation of the right of access (see this Regulatory Outlook)).

EDPB publishes guidelines on technical scope of Article 5(3) of ePrivacy Directive

The EDPB has adopted and published the final version of its Guidelines 2/2023 on the technical scope of Article 5(3) of the ePrivacy Directive, following a consultation launched last year. It notes that "the technical landscape has been evolving during the last decade [since the EDPB's Opinion on device fingerprinting was issued], with the increasing use of identifiers embedded in operating systems, as well as the creation of new tools allowing the storage of information in terminal equipment".

The guidelines address the broader range of tracking tools (that is, beyond cookies) to which Article 5(3) applies. They aim to clarify which technologies are within scope of this provision.

The guidelines identify the three key elements for the applicability of Article 5(3): information (whether or not such information amounts to personal data); terminal equipment of a subscriber or user; and gaining access and storage of information and stored information, and provide a detailed analysis of each element, applying it to a non-exhaustive list of use cases, such as:

• URL and pixel tracking;
• local processing;
• tracking based on IP address only;
• intermittent and mediated Internet of Things reporting; and
• unique/persistent identifiers.

EU Commission publishes first review of the EU-US Data Privacy Framework

The European Commission has published a report on the first anniversary of the adequacy decision on the EU-US Data Privacy Framework. It concludes that the US authorities have put in place the necessary structures and procedures to ensure the effective performance of the framework. This includes the implementation of safeguards to limit access to personal data by US intelligence authorities to what is necessary and proportionate to protect national security, and the establishment of an independent and impartial redress mechanism.

The Commission will continue to closely monitor relevant developments, paying particular attention to:

• the upcoming reports of the Privacy and Civil Liberties Oversight Board on the implementation of the Executive Order 14086 on Enhancing Safeguards for United States Signals Intelligence (EO 14086) and the functioning of the signals' intelligence redress mechanism, in particular the Data Protection Review Court; and
• possible further amendments to section 702 of the Foreign Intelligence Surveillance Act (FISA), relating to the conditions and limitations applicable to signals intelligence.

The Commission considers it important for the EU and US data protection authorities to develop common guidelines on key requirements under the framework's principles, for example on HR data and onward transfers. It proposes to carry out the next review in three years.

ICO launches audit framework to help organisations assess their data protection compliance

The UK Information Commissioner's Office (ICO) has launched a new audit framework to help organisations assess their compliance with key requirements under data protection law. It describes it as a "starting point" for the evaluation of how an entity handles and protects personal information.

There are nine toolkits: accountability, records management, information and cyber security, training and awareness, data sharing, requests for data, personal data breach management, AI and age-appropriate design. Each toolkit has a data protection audit tracker that will help organisations identify and track actions in areas needing improvement.

This is not the first framework the ICO has developed to assist businesses assess their compliance with data protection law (for example, the ICO's very detailed accountability framework, which was not widely adopted) and it will be interesting to see if businesses are more receptive to this framework.

ICO's report on quantum technologies

The ICO has published a report on its early-stage thinking on the intersection of quantum technologies and data protection. The report looks at "what a quantum-enabled future could look like, through a data protection and information rights lens."

It covers a broad range of quantum technologies, from quantum sensing, timing and imaging to quantum computing and quantum communications, and considers use cases in various sectors, such as medicine, finance, communications and law enforcement and explores when they may develop.

The ICO highlights the possibility that quantum computers could one day break the widely used cryptographic algorithms that protect data. The report warns that larger organisations, such as digital service providers or financial service providers, should start to prepare for the transition to post-quantum cryptography, including by identifying high risk information, critical systems and at-risk cryptography.

The ICO reminds organisations considering quantum use cases which involve personal data that they can apply to be part of its Regulatory Sandbox programme.