2021 was dominated by issues around data transfers. Other hot topics included children's data, AI and health data. See below for a summary of the highlights and for the full lowdown and a wealth of articles and webinars on the year's biggest developments, visit our Global Data Hub. You can also find our predictions for 2022 here.
Moving on from GDPR
With the end of the Brexit transition period, the GDPR became the UK GDPR in (obviously) the UK.
In May, the government published its response to the consultation on its National Data Strategy. As a result of the consultation, the government concluded the framework set out in the Strategy is fit for purpose but identified areas for continued conversation
Soon after EU adequacy decisions had been adopted, the UK published its plans for data protection suggesting a move away from the EU in some areas. In a package of plans the government announced:
- a focus on agreeing new adequacy arrangements, initially with six priority countries – the USA, Australia, South Korea, Dubai International Finance Centre, and Columbia. After that it will look at India, Brazil, Kenya and Indonesia
- a mission statement on the UK's approach to international data transfers and a UK Adequacy Manual which will be used to inform the assessment of a territory's commitment to high data protection standards. This includes an international data transfers toolkit which sets out existing and planned transfer mechanisms (for example, the new International Data Transfer Agreement or IDTA, which will replace Standard Contractual Clauses and is currently the subject of a separate consultation)
- plans for an International Data Transfers Expert Council to support the facilitation of international data flows
- John Edwards as the government's preferred nominee as the new ICO with an enhanced role
- an upcoming consultation on the future of the UK's data protection regime.
In September came the promised consultation on the government's proposals for an overhaul of the UK GDPR and DPA18 as we discussed here. Many of the proposals aim to cut 'red tape' around current EU GDPR-derived rules and would certainly involve departures from the letter if not the spirit of the current regime. The ICO also consulted on amending the incident reporting framework under the NIS Regulations.
As the ICO commented in her response to the government's proposals, the devil will be in the detail. The main message of the response seems to be that more information would be needed about the plans to enable an assessment.
The ICO, unsurprisingly, emphasises maintaining current privacy standards and, on the issue of data transfers, underlines the importance of maintaining EU adequacy. At the same time she is supportive, in principle, of measures which would increase flexibility and reduce administrative and regulatory obligations providing that does not result in a fall in standards.
The strongest language is used in response to the government's proposals to reform the ICO. While the ICO supports a regulatory governance model involving a supervisory board with separate Chair and CEO, she says "there are specific proposals where I have strong concerns because of their risk to regulatory independence".
We should know more this time next year.
Cybersecurity
The government published draft Regulations to be made under the Telecommunications (Security) Bill 2020 in February. The Bill became law at the end of November and it and the related Regulations are intended to strengthen cybersecurity of the UK's communications infrastructure including 5G and full fibre networks. The newly published draft Regulations are made under ss 105B and D of the Communications Act 2003 (as it will be amended by the Bill) and relate to requirements to take specific security measures and take specified steps in relation to any security breaches.
In November, the government has published a response to its call for views on amending the incident reporting framework for digital service providers under the NIS Regulations. The government is proposing to move incident thresholds out of legislation and into the control of the ICO.
While some respondents disagreed with this approach, over 70% agreed and therefore the government continues to believe this is the best approach, stating that current reporting thresholds are not fit for purpose and result in too few incidents being reported. The ICO launched consultations on threshold models in September (see below).
The government published a response to its call for views on measures to enhance the security of digital supply chains and third-party IT services. The government's proposals received broad support including around certification of assurance marks and minimum requirements in public procurement. The majority of respondents agreed that new or updated legislation would be a sensible way to address issues. The government will set out further policy objectives, probably as part of its upcoming National Cyber Strategy.
Controversial NHS data sharing scheme delayed
The UK government confirmed a delay to controversial proposals to add patient data from GP records to a central NHS digital database in near real time.
Gloss