Data dispatch - October 2023

Welcome to the first edition of Data Dispatch from the Data Advisory team at RPC. Our aim is to provide you on a monthly basis with an easy-to-digest summary of key developments in data protection law.

Key developments

New Data Bridge to Allow For UK-US Data Transfers

The new data bridge, an extension to the EU-US Data Privacy Framework (the DPF), will allow UK businesses to transfer personal data to certified US organisations without needing to put in place the typical safeguards (e.g. Standard Contractual Clauses) or performing a transfer risk assessment.

The U.K. Secretary for Science, Innovation and Technology laid regulations before the U.K. Parliament implementing a UK – US Data Bridge which took effect on the 12th of October 2023. The data bridge allows UK businesses and organisations to transfer personal data to US businesses certified under the UK Extension to the DPF, provided the latter comply with their obligations under the DPF. US businesses certified with the DPF commit to complying with certain GDPR-style privacy obligations (e.g. purpose limitation and data minimisation). The data bridge is a welcome development as it will cut down time taken for businesses to agree and implement data transfers to the US by eliminating the need for transfer risk assessments and Standard Contractual Clauses. It should also provide UK data subjects with confidence that their data transferred to the US will be protected in line with requirements in their home country. (Source)

ICO And CMA Caution Against Risks of Harmful Digital Design

The ICO and CMA recommend that designers implement well-designed online choice architecture (OCA) to enable users to make informed choices that are aligned with their goals, preferences, and best interests.

The joint position paper on 'Harmful Design in Digital Markets' stated that poorly designed or misused OCA can undermine data protection by manipulating users into sharing more information than they would otherwise volunteer and depriving them of meaningful control over how their personal data is processed.

The joint paper highlights several potentially damaging OCA design practices including harmful nudges, bundled consents and default settings.

Practically, websites and online service providers are expected to:

• build OCA around users' interests and preferences;
• empower user choice and control to make informed choices regarding the processing of their personal data;
• test OCA design choices to ensure that such choices are based on evidence; 
• consider whether certain OCA choices could be unfair to users or anti-competitive; and
• ensure that services adhere to the standards provided for in the ICO's Children's Code when accessed by children.

(Source)

Enforcement action

ICO to step up investigations into cookie rejection buttons

The ICO has recently announced that companies which fail to put a "reject all" cookies option on the top layer of their cookie banners will be far more likely to be investigated by the ICO, which is cracking down on improper consent mechanisms. However, Stephen Bonner (the Deputy Commissioner) left the door open for businesses to quickly remedy any non-compliant cookie banners to reduce the chance of a fine being issued.

This follows the trend in the EU where regulators have similarly been cracking down on non-compliant cookie banners such as in France where the regulator CNIL issued €210,000.00 in fines against 3 companies. The ICO followed up its announcement with a blog piece reiterating the power that online websites have over their users. This includes affecting the content users may see for several weeks after a cookie may have been accepted. Having a clear "reject all" option is in-keeping with the principle that it should be as easy to reject cookies as it is to accept them, which the ICO is seeking to enforce more frequently.

Whilst for the time being cookie banners are a consistent feature of websites, and therefore invite regulatory risk, they are expected to start disappearing over time as large industry players move away from using third party cookies.

Businesses should ensure that they have a clear "reject all" option available to customers on their primary cookie banner and comply with the transparency requirements for cookies used.

(Source)

End Of 'BCC'? ICO Recommends Alternative Methods for Bulk Communication

The ICO's latest guidance has drawn attention to the perils of employing blind carbon copy (BCC) for sending bulk communication, while urging the use of alternative methods with lower associated risks.

The failure to use BCC correctly in emails is one of the top non-cyber data breaches reported to the ICO every year. Recently, the ICO has fined a Scottish charity after using the carbon copy feature for sending an email about an art competition to 105 of their recipients. The data breach enabled recipients to make assumptions about other's HIV status or risk.

The new guidance has been segmented into the below recommendations:

• You 'Must' assess the appropriate technical and organisational measures prior to sending bulk communications to protect personal information.
• You 'Should' train your staff to undertake security measures when sending bulk communications.
• You 'Should' consider other secure alternatives for bulk communications, like mail merger services.
• You 'Could' send individual emails rather than using bulk communications when sending to a small group.

(Source)

Need to know

ICO Consults on Draft Guidance on Biometric Data

The ICO's draft guidance explains data protection requirements when processing biometric data and implementing biometric recognition systems.

The Information Commissioner's Office (ICO) has released draft guidance on biometric data and technologies for public consultation, aiming to regulate their use in the future. This guidance stems from previous ICO reports titled 'Biometrics: Insight' and 'Biometrics: Foresight'. The draft defines 'biometric data' and 'special category biometric data,' emphasising that any use of biometric recognition systems will involve processing personal data. The guidance outlines data protection requirements, including adopting a data protection by design approach, conducting a data protection impact assessment, and potentially relying on explicit consent for processing special category biometric data. This guidance offers organisations involved in biometrics a chance to provide feedback and influence future regulations through a public consultation process until 20 October 2023. Organisations using or considering biometric recognition systems should carefully consider these data protection requirements and seek guidance from the ICO's Innovation Advice Service for compliance.

(Source)

A Primer on India’s New Data Protection Law

India enacts a comprehensive principles-based data protection law – the Digital Personal Data Protection Act, 2023 (“DPDPA”)

India has finally enacted a comprehensive principles-based data protection law – the Digital Personal Data Protection Act, 2023 (“DPDPA”) on August 11, 2023. While the law has been passed, the provisions of the law are yet to be brought into effect. While the DPDPA provides a framework for the new data protection regime, several key provisions of the law are yet to be operationalized through rules and regulations to be issued by the Indian government.

The DPDPA when enforced will replace Section 43A of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 which set out a compensation-based regime governing protection of sensitive personal data in India.

The DPDPA is the first omnibus law that deals with processing of personal data in India and represents a new and unique take on data protection. Entities will be required to build up functionalities from scratch to comply with the requirements of the law.

Full article on the new law can be found here.

Contributed by Nishith Desai Associates.