Data Law | UK Regulatory Outlook November 2024

Progress of the Data (Use and Access) Bill

The Data (Use and Access) Bill, introduced to Parliament last month, had its second reading on 19 November 2024. The speeches given about it in the House of Lords suggest that it is going to come in for a certain amount of scrutiny. Provisions that were discussed include automated decision making, and the definition of "research".  There were also concerns about data issues which are not in the bill, including:

• Copyright issues with use of data for training AI systems.
• Readiness (or otherwise) of the GDPR for the increasing processing of data in AI systems.
• Maximising the use of NHS data, including exploitation of it as a valuable national asset.
• Bolstering cybersecurity for sensitive data, such as NHS data.

The bill has now entered the committee stage, with the first committee meeting scheduled for 3 December 2024.

ICO prioritising work to protect children online

As part of its children's code strategy, the Information Commissioner's Office (ICO) has reviewed a number of social media and video-sharing platforms and specifically asked 11 of them to explain issues relating to default privacy settings, geolocation and age assurance. While most of them have engaged voluntarily, the ICO has issued formal information request notices to three companies.

The ICO has also published Children's Data Lives 2024, third party research which highlights that:

• children often do not see entering personal information, posting updates, and interacting with algorithms as "data sharing" or consider their data rights;
• children struggle to understand how companies use their data and find privacy policies difficult to access or process. Some platform features encourage them to share more information;
• many children feel that sharing data is necessary to access online content, but not a choice; and
• most children surveyed had provided incorrect ages to bypass age restrictions on platforms.

Protecting children online is one of the ICO's current priorities, and these activities demonstrate that the regulator is proactively pushing companies to improve their children's privacy practices.

ICO publishes report on genomics

This ICO's new report considers issues raised by the development of genomics, not just in relation to healthcare, where its benefits are well-known, but also in education, direct-to-consumer services, insurance and law enforcement. The report considers:

• understanding when genomic data may be personal information;
• the complexities of using and sharing third party genomic information and inferences derived from it;
• the associated risks and challenges of anonymising and pseudonymising genomic information to ensure privacy by design without compromising innovation; and
• the significant risks of bias and discrimination from the processing of genomic information.

It is aimed at organisations looking to deploy innovative forms of processing based on genomic data and is illustrated by plausible scenarios, use cases and solutions.

The ICO invites organisations working in this area to share their views. It particularly wants to hear from those who may be interested in working with its Regulatory Sandbox on embedding privacy by design, and to hear views on the potential creation and development of standards in this area.

ICO publishes recommendations on use of AI tools in recruitment

See AI section

Global privacy authorities publish concluding joint statement on data scraping

Following the initial statement in August 2023 and based on engagement with social media companies and other stakeholders, several national privacy authorities (including the ICO), set further expectations for industry in their concluding statement on protecting from the risks of unlawful personal data scraping.

The statement advises organisations to deploy a combination of safeguarding measures to protect against unlawful scraping. While contractual terms allowing scraping of personal data are an important safeguard, such contracts do not themselves make the scraping lawful. Organisations authorising scraping for any purpose must ensure that they have a lawful basis for doing so, are transparent about the scraping they allow, and obtain consent where required by law. The statement highlights the importance of compliance with data protection, privacy and AI-specific laws when using scraped data sets and/or data from the companies' own platforms to train AI.

ICO seeks permission to appeal DSG Retail ruling on meaning of personal data

The ICO seeks permission to appeal the Upper Tribunal's judgment on its fining of DSG Retail Limited (DSG) to the Court of Appeal. This relates to the Commissioner's fine of £500,000 imposed on DSG in 2020 after a cyber-attack. The First-tier Tribunal (FTT) reduced the fine to £250,000 on DSG's appeal, and DSG was allowed to appeal the FTT’s decision to the Upper Tribunal on limited grounds.

In September 2024, the Upper Tribunal sent the case back to the FTT for reconsideration. It held that an organisation is not required to protect data against unauthorised processing by a third party in a case where, even though the data is personal data in the hands of the controller (for example, because the data is pseudonymised but the controller has access to the key), it is not personal data in the hands of a third party (for example, because the data is pseudonymised, and the third party does not have, and is not likely to gain access to, other data which it could combine with the pseudonymised data to re-identify individual data subjects).

In the ICO's view, the Upper Tribunal was wrong in interpreting the law in this way, saying that they have seen "many cases where people have been affected when malicious actors have accessed, deleted or encrypted pseudonymised personal data, for example when medical or financial data is compromised."  This issue is important for organisations, as it will affect the nature of the security measures they need to put in place to protect personal data from the ever-increasing risk of cyber-attacks.