Data Law | UK Regulatory Outlook September 2024

EU Commission plans to create new SCCs for data transfers to third country controllers and processors subject to GDPR

The European Commission has announced that it is planning to consult on a new set of standard contractual clauses (SCCs) to specifically address the scenario where personal data is sent to a data importer who is located in a non-EEA country, but is directly subject to the EU GDPR. The new clauses will be complementary to the existing SCCs.

The draft of these new clauses is not available yet and, according to the Commission, the consultation is planned for fourth quarter 2024 with adoption planned for second quarter 2025.

This issue is a known gap in the old SCCs, which was not addressed in 2021 when the Commission released the existing SCCs under the EU GDPR. Even after adoption of the newly announced clauses, it is likely that there will be a reasonable period for implementing them (as there was previously when new SCCs were introduced).

UK ICO launches new tool to help small businesses create privacy notices

The UK Information Commissioner's Office (ICO) has launched a new tool to assist small and medium-sized businesses and sole traders create a tailored privacy notice.

The tool contains sections specific to the finance, insurance and legal sectors, education and childcare, health and social care, and charity and voluntary sectors. It also contains sections designed for other small organisations in sectors such as retail and manufacturing.

The tool offers two types of privacy notices: one for customer and supplier information, which can be placed on the organisation's website; and another for staff and volunteer information to be used internally.

ICO publishes update on children's code strategy and a call for views on processing children's data for recommender systems and age assurance purposes

The ICO has published a progress update on its children's code strategy, which it first published in April 2024. See this Regulatory Outlook for background.

As part of its first phase of work, the ICO undertook a review of a sample of social media platforms and video-sharing platforms, focusing on the priority areas outlined in April 2024. The ICO created accounts using proxies for children of different ages to replicate the sign-up process that children would follow. It observed key account settings and privacy information presented to child users, but did not interact with other users.

Where the ICO has encountered issues, it is engaging with the platforms concerned to secure improvements and says that it will take enforcement action if necessary.

To assist its understanding of how platforms use children's personal data in recommender systems and in relation to profiling techniques used to identify children under 13 years of age, the ICO has also published a call for evidence. The deadline for responses is 11 October 2024.

UK government consults on changes to data protection fee regime

The Department for Science, Innovation and Technology (DSIT) has launched a consultation on proposals to amend the current data protection fees payable by data controllers to the ICO, following a statutory review of the regime launched in 2023.

The review found that current fee levels are no longer adequate to offset the costs incurred by the ICO. Therefore, the government is seeking to increase the annual fees payable to the ICO. The consultation closes on 3 October 2024.

DSIT proposed an uplift to fees of 37.2% distributed evenly across the tiers, although the final decision on the amount of the increase will be informed by the outcome of the consultation. If implemented, this would mean the following increases:

• Tier 1 (micro organisations – maximum turnover of £632,000 or no more than 10 members of staff): increase from £40 to £55.
• Tier 2 (small and medium organisations – maximum turnover of £36 million or no more than 250 members of staff): increase from £60 to £82.
• Tier 3 (larger organisations): increase from £2,900 to £3,979.

DSIT is not proposing to make any changes to the tier system itself, or to the current exemptions. Any changes would not be implemented until 2025.

DSIT says that its proposals aim to secure the financial resources required to support the ICO in fulfilling its functions effectively, including "to support the successful implementation of the Digital Information and Smart Data Bill announced in the King's Speech" (see this Regulatory Outlook). The comment perhaps suggests that the government intends to bring a new data bill forward at some point during this Parliament.

ICO takes action against website for unlawfully processing personal data through advertising cookies without consent

The ICO has reprimanded Bonne Terre Limited (trading as Sky Betting and Gaming) for unlawfully processing people's personal data and sharing it with advertising technology companies as soon as users landed on the company's website and before they were asked for consent.

The ICO has found that third-party marketing cookies were being deployed as soon as visitors arrived at the website, and before they had been presented with a pop-up from a cookie consent management platform allowing them to accept or reject them. As a result, visitors' personal data collected by the cookies was made available to and processed by adtech vendors without the users' consent or any other lawful basis, and in breach of the requirements for the processing of personal data to be lawful and fair under Articles 5(1)(a), 6(1)(a) and 7(1) of the UK GDPR.

In deciding to issue a reprimand rather than a fine, the ICO took into consideration the facts that Sky had contractual controls that restricted the adtech vendors' use of the cookies data to certain limited commercial purposes, and that the shared data did not reveal that data subjects had interacted with a gambling website.

This action was taken as part of the ICO's work to crack down on misuse of cookies in advertising (see this Regulatory Outlook for background). The ICO now says that it is investigating the data practices of several data management companies. Later this year, it intends to consult on updated draft cookies guidance, and also, will publish its position on the cookie "consent or pay" business model following a consultation (see this Regulatory Outlook).