Posts Tagged ‘ICO’

|

DUA: New Rules

16/06/25

Great – I’m a big fan.  Although I’ve got a sneaking suspicion this isn’t going to be a chat about our favourite Dua Lipa tunes.

Correct.  But now you’re here let me tell you about the other DUA you need to know about.

The Data (Use and Access) Bill (“DUA”) was introduced by the UK government in October 2024 as the pared-down successor of the previous government’s (now defunct) Data Protection and Digital Information Bill (“DPDI”), which itself was introduced in July 2022.  Since the bulk of its provisions had already been discussed in relation to the DPDI Bill, the DUA Bill was expected to have an easy journey through Parliament to the statute book.

However, shortly after introducing the DUA Bill the government published its Copyright and AI Consultation Paper as part of its consultation on copyright and AI, and you will almost certainly have read about the opposition by numerous well-known musicians, authors and other artists (including Elton John and Dua Lipa) against one of the policy options in the Consultation Paper, the so-called opt-out mechanism which would entitle AI developers to access and use copyright material for training purposes unless the copyright owner has expressly opted out.  And, although the DUA Bill as introduced by the government does not deal with the copyright and AI issue, the House of Lords decided to use it as a proxy to propose a number of legislative changes providing protection for the UK creative sector against AI developers.  The government rejected all amendments proposed by the Lords, and after more than a month of ‘ping-ponging’ between the House of Commons and the House of Lords, the Lords eventually gave way and the DUA Bill was passed on 11th June 2025. The bill is expected to receive Royal Assent in the next few days.

So we’ve just got our heads around the UK GDPR and we’ve now got a new data protection law running to 147 clauses and 16 schedules?  Really?

It’s not quite as bad as it looks.  First, although the DUA Bill is a chunky piece of legislation, less than half of it deals with data protection and privacy. Plus I agree with commentators who have described DUA as an evolution not a revolution of data protection law; as we’ll see there are a couple of interesting changes but for the most part the impact of DUA on SMEs is likely to be minimal.

By way of a summary of the data protection and privacy-related changes:

Quite a list but I take your point about evolution rather than revolution. That said, the last two sound interesting.  What’s happening with automated decision-making?

The current rules on automated decision-making (ADM) are set out in UK GDPR, Art 22.  In short they provide that an automated decision which produces legal effects on an individual (or similarly affects the individual) is only lawful if the decision:

Furthermore the data controller must implement “suitable measures” to safeguard the individual’s rights and freedoms, including the right for the individual to make representations about the decision, to obtain human intervention in relation to the decision, and to contest the decision.

The DUA Bill introduces additional flexibility by having different requirements depending on:

If a decision results from processing special category data then broadly speaking the existing ADM restrictions will continue to apply, i.e. the ADM is only lawful if the decision is necessary for entering into or performing a contract, or is required or authorised by law, or is based on the individual’s explicit consent.

However if the decision does not result from processing any special category data then the current restrictions will no longer apply. And as a result ADM could, for example, take place on the basis of legitimate interests, i.e. without obtaining any consents.

Separately, if automated processing (whether or not involving special category data) produces a significant decision, the controller must ensure safeguards are in place which ensure that the individual is provided with information about the decision and also enable the individual to:

It follows that if the automated processing does not produce a significant decision the controller is not required to put in place the safeguards, even if the decision resulted from the processing of special category data.

Two final points on the new ADM rules:

1. The DUA Bill provides that a decision is based solely on automated processing if there is no “meaningful human involvement”. Whether there is any meaningful human involvement will depend on, among other things, “the extent to which the decision is reached by means of profiling”.  If the controller concludes that there is meaningful human involvement in the decision-making then the ADM rules do not apply.

2. The Secretary of State has the right to issue regulations:

The big change here is clearly not having to obtain individuals’ consent when ADM doesn’t involve special category data. Remind me what special category data is?

The types of personal data which constitute special category data are listed in UK GDPR, Art 9(1):

“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”.

A couple of things to note: information regarding someone’s income, assets or their financial circumstances is not special category data; and as already mentioned the Secretary of State is entitled to add new categories to Art 9(1).

And finally what about the changes to cookies? Am I going to be able to get rid of my cookie banner?

The current rules are set out in The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).  In short they require a website provider to obtain user consent for all cookies except those which are “strictly necessary”.

The DUA Bill creates additional exceptions for cookies and other tracking technologies that are placed solely for the purposes of:

However website providers must still provide visitors with “clear and comprehensive” information about the purpose of the cookie, as well as a “simple means” of objecting to the cookie. In practice this may mean that cookie banners are here to stay but at least website providers can now pre-tick the consent box for functional/performance cookies.

 

Tags: , , , , , ,
Posted in Privacy, Updates | No Comments »

Direct marketing to business contacts

29/11/22 – The Information Commissioner’s Office (ICO) recently published new guidance on email marketing and phone marketing.  The guidance is supplementary to the ICO’s Guide to the Privacy and Electronic Communications Regulations (PECR) and (124-page) draft Direct Marketing Code of Practice.

Direct marketing is a fiddly area, with different rules depending on whether you’re using email/text, phone, post or (perhaps less likely) fax, and also whether you’re marketing to companies, sole traders/partnerships, or individuals.  This post takes a look at the rules for direct marketing by UK businesses of their own products and services, either by email or text/voice messaging services (such as WhatsApp or LinkedIn), or by phone.  It is not exhaustive, and there are additional rules if for example you are selling pensions or claims management services, marketing to children etc.

What’s the relevant law?

The law applicable to direct marketing is set out in the Privacy and Electronic Communications Regulations 2003 (PECR) and to a lesser extent the UK GDPR and Data Protection Act 2018. The ICO provides extensive, plain English overviews of all areas of marketing law.

Direct marketing by email/messaging services  

If you’re looking to market to a contact by email or using a text or voice messaging service then you either need to obtain the contact’s consent or you need to check if you can use the so-called ‘soft opt-in’ exemption.

Consent. For consent to be valid it needs to be freely given, specific, informed and unambiguous. In practice this means no pre-ticked checkboxes, and making sure the consent covers the type of communication you’re using – obtaining consent for marketing by email does not entitle you to send them a WhatsApp. The consent also needs to be separate from other consents, so you can’t include marketing consent in the tickbox wording used for accepting your terms of service.

Soft opt-in exemption.  To use the soft opt-in exemption, you need to meet all of the following criteria:

  1. You must have obtained the contact details yourself. You cannot for example use an email address obtained by someone in your marketing department.
  2. The contact details must have been obtained as part of a sale or negotiation, i.e. the contact must either be an actual customer or a prospect who has previously expressed an interest in your products or services.
  3. The marketing content must relate to products or services which are similar to the ones that your contact has previously purchased or been interested in.
  4. The contact must have had an opportunity to opt-out of receiving marketing messages when you obtained their details, and they must continue to have that option, e.g by including a ‘click to unsubscribe’ link in the message.

A few things to bear in mind:

 Direct marketing by phone

In short, you do not consent for making direct marketing phone calls, whether to individuals or to businesses, unless either of the following applies:

  1. The phone number is listed on the Telephone Preference Service (TPS) or the Corporate Telephone Preference Service (CTPS).
  2. Your contact or the business has previously objected to receiving marketing calls.

If the phone number is listed on TSP or CTPS you can still get consent to receive marketing calls. The ICO have suggested that any consent for overriding a TSP/CTPS listing should aim to meet the GDPR-style, opt-in standard that applies to direct marketing by email.

When making a direct marketing phone call, you must display your phone number (or a valid alternative number), say who is calling (and provide contact details if asked), provide clear information about the marketing, and make it easy for the recipient to object or opt out.

 

Tags: , , ,
Posted in Commercial, Privacy, Updates | No Comments »

UK IDTA comes into force

21/03/22 – As expected, the International Data Transfer Agreement (IDTA), as well as the Addendum to EU SCCs, came into force today as appropriate safeguards for transfers of personal data from the UK to third countries under Article 46 of the UK GDPR.  As part of the transitional arrangements the old EU SCCs (with appropriate modifications to make them ‘work’ for UK exporters) can continue to be used as an appropriate safeguard until 21 September 2022 and, if the processing remains unchanged, are capable of remaining valid until 21 March 2024.  If you’re not sure what I’m talking about, have a look at my 01/02/22 update.

We are still waiting for the ICO to publish a final version of their new Transfer Risk Assessment (TRA) precedent and tool.  In the meantime prospective exporters’ best bet is like to be to use the draft version from the ICO’s consultation last year.   More information about TRAs here.  I will you keep you updated.

Tags: , , ,
Posted in Privacy, Updates | No Comments »

What’s happening with UK international data transfers?

01/02/22 – If you or your organisation transfers, or may transfer, personal data to third countries, i.e. countries that are not considered to have an ‘adequate’ level of data protection (which currently includes the U.S.), then read on.  If not, then feel free to skip.

Back in August last year we looked at a brand new international data transfer agreement (‘IDTA’) template, together with a new international data transfer addendum to be used with EU SCCs (‘Addendum’), that the ICO published as part of its consultation on ‘how organisations can continue to protect people’s personal data when it’s transferred outside of the UK’.

The ICO’s consultation closed on 7th October 2021, and on 28th January 2022 the Department for Culture, Media and Sport (DCMS) laid the final versions of the IDTA, the Addendum, plus the transitional provisions before Parliament.  Unless the relevant statutory instrument is ‘objected to’ (which, given its subject matter, is very unlikely), the IDTA, the Addendum and the transitional provisions will come into force on 21 March 2022.

UK data exporters who enter into agreements with their data importers based on the old EU SCCs (i.e. Standard Contractual Clauses issued under European Commission Decisions 2001/497/EC and 2010/87/EU) on or before 21st September 2022 may, if the subject matter of the processing remains unchanged, continue to rely on those agreements until 21st March 2024.  Note that this only applies where the agreements based on the old EU SCCs were modified to ‘fit’ post-Brexit UK data protection laws, and will not apply to EU SCCs entered into prior to Brexit.

Although the ICO have not yet published the responses from the consultation, the changes to the IDTA are limited with the main ones being:

Tags: , , , , , ,
Posted in Privacy, Updates | No Comments »

What’s happening with SCCs? – Part 3 (UK SCCs)

Part 1 and Part 2 of the What’s been happening with SCCs? updates have tracked the EU’s and the UK’s progress in developing standard contractual clauses (SCCs) to deal with the transfer of personal data to third countries, i.e. countries that are not considered to have an ‘adequate’ level of data protection, as well as the publication of the new EU SCCs.  This update focuses on the UK SCCs.

On 11th August 2021 the ICO launched a  consultation on ‘how organisations can continue to protect people’s personal data when it’s transferred outside of the UK‘.  As part of the consultation the ICO published its proposal for UK standard contractual clauses in the form of a brand new international data transfer agreement (IDTA), as well as its new Transfer Risk Assessment (TRA) and tool.  The ICO is also requesting comments on an update of its existing guidance on international transfers.  The consultation closes on 7th October 2021.

All very interesting I’m sure.  But is any of this relevant to me?

Short version is that if you’re transferring UK citizens’ personal data to a ‘third country’ (i.e. a country which is not considered by the UK to have ‘adequate’ data protection laws (full list here), then yes. You will need to use one of the transfer mechanisms (or ‘appropriate safeguards‘) set out in Article 46 of the GDPR (now incorporated into UK law as the UK GDPR, as amended).  And although the UK GDPR provides for a variety of transfer mechanisms, for most businesses the only practical option in these circumstances will be for both the (UK) data exporter and (third country) data importer to enter into an IDTA, having first completed a Transfer Risk Assessment (TRA).

Bear in mind that for these purposes:

Ah, ok.  So what do I need to know?

The new IDTA and TRA requirements will not not become law until the end of 2021 or, more likely, spring 2022.  Between now and then the situation is a bit of a mess.  UK law provides that the old EU SCCs must continue to be used as the Article 46 transfer mechanism, even after 27 September 2021 when they cease to be lawful for new EU cross-border data transfers.  Although some commentators have suggested that, in a post-Schrems II world, a better approach is for UK data exporters to use the new EU SCCs until the new IDTA is adopted, my view is that for the time being most UK data exporters should stay compliant with UK law and either make Brexit-required changes to their existing SCCs or, for new transfers, put in place a data transfer agreement based on the old EU SCCs.

The timelines for UK data exporters being legally required to use the new IDTA for international data transfers will be 3 months for new transfers and 21 months for existing transfers, each period running 40 days from the date on which the IDTA is laid before Parliament as a regulation.

Some high-level comments on the IDTA:

  1. In contrast to the modular new EU SCCs (which will need quite a bit of copying and pasting), the IDTA is a single agreement, made up of four parts:
    • Part 1 (Parties and signature) sets out a series of tables which capture the variables, including the status of the parties (i.e. controller, processor etc), details of the proposed data transfers, details of the data to be transferred, purposes of the transfers, and the security requirements.  If the IDTA forms part of an MSA or other commercial agreement between the exporter and importer, the MSA can be recorded as a ‘Linked Agreement’.
    • Part 2 (Extra Protection Clauses) is optional, but enables the parties to include any additional security, organisational and/or contractual protections that are considered necessary following the TRA.
    • Part 3 (Commercial Clauses) is also optional, enabling the parties to include any commercial terms that they have agreed.
    • Part 4 (Mandatory Clauses) constitutes the bulk of the IDTA, and sets out the parties’ rights and obligations in relation the data transfers.
  2. The ICO have done their best to use plain English and avoid legal terminology, and generally to keep the IDTA as user-friendly as possible.  But the IDTA template (excluding guidance notes and Q&A) runs to 43 pages, and putting one in place will require a fair bit of work.
  3. For organisations putting in place new EU SCCs for EEA-to-third country data transfers,  the ICO has helpfully produced a short addendum which, once completed and signed, will enable the EU SCCs to be used also for transfers from the UK.
  4. In contrast to the new EU SCCs, which need to be reviewed ‘at appropriate intervals’ the IDTA (and associated TRA) should be reviewed annually, which is perhaps overly onerous for low-risk transfers.
  5. A more detailed analysis of the Mandatory Clauses of the IDTA to follow once the ICO consultation is completed.

And some comments on the TRA:

  1. The TRA precedent is intended to be use for medium and low risk transfers.  High risk transfers, such as transfers to countries with poor human rights records, are likely to require more sophisticated transfer risk assessments.  The TRA is not mandatory – data exporters are free to use what form of risk assessment they consider appropriate.
  2. As with the IDTA, the ICO have done their best to make the TRA accessible and user friendly.  It contains numerous, ‘real life’ practical examples showing when transfers may be permitted.  It also explains what constitutes high, medium and low risk in the context of international transfers, and (helpfully) confirms that where the risk of harm that the transfer causes to data subjects is minimal then the transfer is permitted by default.
  3. But the TRA is 49 pages long, and will constitute a significant undertaking for all but the most well-resourced data exporters.  And although the ICO recognises the challenge that data exporters face in obtaining information about the legal framework of the data importer’s country, suggesting that information may be available via ‘reports issued by the Foreign Commonwealth and Development Office and charitable organisations‘, the ICO does not address the obvious question why this information cannot be provided by the ICO (and/or appropriate government department), instead suggesting that data exporter may need to obtain ‘expert advice‘.
  4. On a positive note, and unlike the new EU SCCs, the objective of the TRA is not necessarily to ensure that the legal framework of the data importer’s country is ‘essentially equivalent’, but whether it provides ‘very similar protections’ to those in the UK.  The TRA also makes the point that countries which have surveillance regimes may in fact be more legitimate than countries whose lack of surveillance laws may suggest a lack of safeguards.
  5. The findings from the TRA must be documented to ensure there a record of the assessment. If a data exporter uses its best efforts to complete the TRA, the ICO will take this into account in any regulatory action resulting from a later GDPR breach.

Hmm… 49-page risk assessments and 43-page data transfer agreements.  Doesn’t exactly sound ‘agile’?

You’re referring to the comments of the UK culture secretary, Oliver Dowden, who suggested in his article in the FT last February that that the UK can now be more ‘agile’ when it comes to ‘[striking] our own international data partnerships with some of the world’s fastest growing economies’.

If we accept the importance of ensuring a meaningful level of protection for UK citizens’ data when shared with third parties outside the UK then we either have to provide a mechanism which gives organisations the ability to put in place a framework to ensure a meaningful level of protection, or we go down the data localisation route and make it unlawful for personal data to be transferred from the UK to any ‘third country’.

Despite the reservations mentioned above, the ICO have in my view done a good job striking a balance between the need for ‘agility’, and the need to provide meaningful protection of personal data in a world which, for the most part, falls far behind the ‘gold standard’ of EU and now UK data protection.  But the elephant in the room remains why the ICO (or appropriate government department) cannot provide UK data exporters carrying out a TRA with guidelines regarding each third country’s legal framework, third-party surveillance rights and safeguards, and their similarity to those in the UK.  It will be interesting to see if this is addressed by the consultation.

 

 

 

Tags: , , , , , , , , , ,
Posted in Privacy, Updates | No Comments »

Get in touch

  • Your email address will only be used to respond to your message