A Balancing Act – Privacy v Business Innovation

What happened

• On 19 July 2022, the UK Government formally introduced the Data Protection and Digital Information Bill, its post-Brexit data protection reforms, into Parliament. The proposals largely align with those previously outlined in the Government’s consultation response last month (see Xcina Consulting’s previous blog post for full details of this here).
• The new Bill, which is lengthy and accompanied by a set of Explanatory Notes, serves to amend rather than replace the existing UK GDPR, Data Protection Act 2018 and the Privacy and Electronic Communications Regulations.
• In addition to data protection, the Bill covers several provisions relating to other areas that somewhat intersect with data protection, such as digital verification services and customer access to business data.
• In view of the Bill being introduced ahead of the parliamentary summer recess, it is anticipated that its second reading will take place in September, when MPs will have their first opportunity to debate the main principles of the Bill.
• After that, it must pass through several other parliamentary stages where it will be subject to further scrutiny and potential amendment before being enacted. 

Why it matters

• As covered in Xcina Consulting’s previous blog post, the UK’s ability to maintain its adequacy status with the EU following post-Brexit data protection reforms is a crucial area of concern.
• Additionally, fears remain that the suggested reforms could compromise individuals’ privacy rights. The Open Rights Group, a UK-based lobbying group that defends the right to privacy and free speech online, has declared that it will fight the plans, claiming that the reforms will promote data discrimination and establish a charter for data laundering on a global scale.
• Trade is increasingly facilitated by cross-border data flows. Many UK-based organisations require access to personal data from EU workers or consumers to offer their products and services, as well as for other purposes such as using EU-based cloud storage providers. Remedial work to enable the free flow of data between the EU and the UK in the event of a loss of adequacy could result in a significant administrative and financial burden.
• In an impact assessment issued alongside the Bill, the Government itself acknowledged that the annual benefit to trade brought about by the proposed reforms would be outweighed by the estimated impact of a loss of adequacy status with the EU.
• We will provide further and more detailed commentary in due course as the Bill progresses through Parliament.

What happened

• New guidance on UK Binding Corporate Rules (BCRs) has been released this week by the Information Commissioner’s Office (ICO), with the goal of streamlining and simplifying the process for both controllers and processors.
• The guidance is divided into separate sections for controllers and processors and takes into consideration the Schrems II CJEU (Court of Justice of the European Union) ruling, which is still applicable to the UK.
• The UK BCR approval process has been simplified, in recognition of the fact that several BCR applicants may need to seek both EU and UK BCRs. As such, the ICO shall only request supporting documents and commitments once during the UK approval process.
• Requirement tables for data controllers and processors have been updated, alongside revised application forms and supporting guidelines to give clarity when organisations have used UK BCRs to transfer data.
• Another key change is the contents that must appear in the UK BCR document, which the ICO refer to as the ‘BCR Policy’. This is the document the ICO expect organisations to publish in full, providing data subjects with the key GDPR Article 47 information about their data and its transfers under the UK BCRs.
• According to the guidance, although it is expected that a transfer risk assessment has been performed, the ICO will not require evidence of it as part of the UK BCR approval process.
• The ICO outlined it will be unable to accept any BCR documentation that is not UK focussed, and to avoid combining EU and UK BCRs that could undermine the protections and safeguards available under UK law.

Why it matters

• As international data flows increase, it is increasingly important that appropriate safeguards are implemented, and high standards are maintained to protect personal data leaving the UK.
• BCRs are one of the ways of ensuring that appropriate safeguards are in place when transferring personal data to a third country outside the UK, where the third country is not covered by a finding of adequacy.
• BCRs are intended for use by multinational corporate groups, groups of undertakings, or a group of enterprises engaged in a joint economic activity such as franchises, joint ventures, or professional partnerships.
• They are essentially a set of internal policies such as a code of conduct, approved by the ICO, that are legally binding on all group members who sign up to them, including their staff.
• The ICO confirmed that it regards BCRs as the ‘gold standard’ transfer mechanism, which demonstrates an organisation’s commitment to implementing appropriate safeguards.
• This is because each group member must abide by the BCRs and is responsible for any violations, ensuring the corporate group as a whole has consistent data protection requirements, which is considered to provide a high level of protection.
• The ICO advises that any organisations wishing to submit a BCR application should review their guidance prior to preparing a UK BCR application pack. This guidance will also assist organisations with their ongoing obligations post-approval.