Data Law | UK Regulatory Outlook June 2024

UK general election: what the main parties say about data

The two main political parties (Conservative and Labour) competing to win the general election on 4 July 2024 have published their manifestos.

The Conservative Party manifesto does not mention the Data Protection and Digital Information Bill (DPDI Bill), which fell after the "wash-up" period. However it does say that "only the Conservatives will keep on removing EU laws from our statute book". The bill aimed to clarify and simplify obligations under the UK GDPR. It also included "smart data" provisions aimed at opening up consumer data flows in various sectors (similar to the UK's "open banking" scheme in the financial services sector) and provisions on digital identity verification. It will now be up to the new government to decide how to proceed. 

The Labour Party was, generally speaking, opposed to much of the DPDI Bill, and only supported the "smart data" and digital identity verification provisions. If it wins on 4 July, it may well bring those elements back. On "smart data", Labour says in its manifesto that it would support innovation and growth in the financial services sector and refers to the success of "open banking". The manifesto also says that a Labour government would bring back the provisions that would give families of children who have died, as well as coroners, access to the child's social media data.

In addition, its manifesto states that a Labour government would reform planning laws to make it easier to build data centres, and that Labour would create a new National Data Library to bring together existing research programmes, help deliver data-driven public services, and make it easier to access public data for research.

EDPB adopts opinion on facial recognition at airports

The European Data Protection Board (EDPB) has published an opinion on the use of facial recognition at airports for the specific purpose of streamlining the passenger flow at airports at four checkpoints: the security checkpoint, baggage drop-off, boarding, and access to a passenger lounge.

The opinion is in response to a request from the French Data Protection Authority. The request was limited in scope, so the opinion does not examine the use of facial recognition in general or as used for security purposes by law enforcement bodies. It is also assumed throughout the opinion that the passenger has given valid consent to the data processing. It does not, therefore, examine the applicable legal basis or whether the consent is indeed valid.

The opinion analyses the compatibility of facial recognition processing with four GDPR principles: (i) the storage limitation principle; (ii) the integrity and confidentiality principle; (iii) data protection by design and default; and (iv) security of processing.

The opinion examines four data processing scenarios:

1. the biometric data is stored by the passenger on their individual device, under their sole control, and is deleted shortly after the check is complete;
2. the biometric data is stored centrally, within the airport, in encrypted form, with the encryption key held only by the passenger and the data stored for a given period, for example, up until the passport expiry date;
3. the biometric data is stored centrally in encrypted form within the airport under the airport operator's control and is deleted once the plane has taken off; and
4. the biometric data is stored centrally in encrypted form in the cloud under the control of the airline company or its cloud service provider and is stored for as long as the passenger holds an account with the airline.

The opinion notes that in all scenarios, the controller will only meet the GDPR's necessity principle if it can show that there are no less intrusive alternative solutions that could be used to achieve the same objective as effectively.

It also finds that the only scenarios which might, in principle, be compatible with the four principles considered are where the biometric data is stored in the hands of the individual passenger (scenario 1) or in a central database with the encryption key solely in the passenger's hands (scenario 2). This will only be the case, however, if appropriate safeguards are also implemented to mitigate any risks. In respect of scenario 2, the EDPB also says that the controller must be able to justify the long storage period and recommends that controllers always use the shortest storage period possible and offer passengers the option of setting their own storage period.

As for the third and fourth scenarios, the opinion concludes that there is a risk in both scenarios of third parties gaining access to the data leading to the unlawful identification of passengers in other settings. In the EDPB's view, streamlining passenger flow can be achieved using less intrusive means. Therefore, processing in these ways cannot meet the necessity principle.

While limited in purpose and scope, the opinion is still useful as a starting point when considering the use of facial recognition technology and its compliance with the GDPR in different scenarios.

ICO publishes its finalised Enterprise Data Strategy

The UK Information Commissioner's Office (ICO) has, following consultation, published the final version of its Enterprise Data Strategy, which sets out how it intends to utilise data to shape its corporate, regulatory and strategic priorities (see this Regulatory Outlook), alongside a summary of the responses received.

The ICO received nine responses to the consultation, which all indicated support for the strategy, although some raised concerns that the ICO trying to set an example of responsible innovation in the use of data might shift its focus from its regulatory responsibilities. The ICO has acknowledged these concerns, but says that it believes that its approach will help it become a more modern and effective regulator.

The ICO has made various changes to the strategy in response to the feedback it received, including:

• publishing an additional implementation plan outlining the practical details of what it plans to deliver during the first year;
• including a scorecard to assess at the end of the first year whether its outputs have made a positive impact on its level of data maturity;
• adopting an "openness by default" approach to make its data more visible and creating a data catalogue of its data assets that is accessible via its website;
• providing those staff members who handle data directly with training on data ethics and making a data ethics self-assessment toolkit available to all employees involved in data-driven insights; and
• keeping its survey open, despite the consultation having closed, to ensure continuous feedback from organisations and the public.