It has been four years since the Online Safety Bill was proposed by Theresa May’s government in April 2019. We have been reporting its journey through the various stages, including several amendments that were tabled and discussed in an earlier blog. Ofcom and the ICO share strong synergies in regulating data protection and online safety in the UK. We look at the partnership and the new Bill. In a separate development Jackie Barlow, Data Protection Senior Consultant at Xcina Consulting discusses the legal battle in which credit reference agency Experian received a favourable outcome against the U.K. Information Commissioner’s Office (ICO). What factors are used by your organisation to determine whether your data processing activities are lawful?
The new Online Safety Bill and the partnership between the ICO and Ofcom
What happened
The new Online Safety Bill is currently being debated by the House of Lords Committee.
Ofcom and the ICO are the bodies responsible for regulating data protection and online safety in the UK and will work closely to achieve maximum alignment going forward. There are strong synergies between the objectives of the two organisations.
The ICO has already launched The Children’s Code in 2020 (known as the Age Appropriate Design Code); a code of practice for online services such as apps, online games and web and social media sites likely to be accessed by children.
Under the new Bill, Ofcom will take on additional duties and has already highlighted the importance in several statements, including:
- Users of online services being confident that their safety and privacy will be upheld.
- Online service providers complying with their obligations to continue to grow and innovate, supported by regulatory clarity.
- It will be important for all organisations to design their online services with both privacy and safety in mind.
The NSPCC is also calling on the government to protect children via the Online Safety Bill, having seen child abuse image crimes reach record levels. There has been a 66% increase in child abuse image offences being recorded by the UK police in the past 5 years.
Unregulated social media platforms are responsible for the increase in these crimes, and it is believed that social media companies are failing to stop their sites being used to commit, organise or share child abuse. The NSPCC’s research* has shown that Snapchat is the site most used to share images (43% of cases), with Facebook, Instagram and WhatsApp used in 33% of cases.
Additionally, virtual reality environments such as the Metaverse (accessed through Oculus headsets) have also been found to be involved in sexual abuse image crimes involving children, for the first time.
Why it matters
The Online Safety Bill will build safeguarding into regulation and will prioritise child protection. It will be crucial for an ‘early warning system’ to be established, so that child abuse risks can be spotted early and to ensure companies and Ofcom are aware of them.
It is expected that the Bill will be brought into law later this year. The ICO and Ofcom have worked together for many years and share similar principles in their approach to regulation, transparency, accountability, proportionality and consistency. By aligning their approaches their aim will be to protect individuals more effectively.
With online child abuse crimes at record levels and the public demanding action, it is crucial that the Online Safety Bill stands as a key pillar of the child protection system in the future.
The ICO and Ofcom have issued a joint statement about online safety and data protection which can be found at online-safety-and-data-protection-a-joint-statement-by-ofcom-and-the-ico.pdf.
*The NPSCC’s article can be found at: We’re calling for effective action in the Online Safety Bill as child abuse image crimes reach record levels | NSPCC.
Direct Marketing and transparency - Experian’s appeal to the First-Tier Tribunal
What happened
Experian holds data on most individuals in the UK. The data is screened, traded, profiled and enhanced to provide direct marketing services.
The ICO issued an enforcement notice against Experian in October 2020 which followed a two-year investigation into how the firm and two other credit reference agencies had used individuals’ personal data for direct marketing purposes.
Experian appealed against the ICO’s enforcement notice which was referred to the First-Tier Tribunal (FTT). They wanted to rely on the exemption in Article 14 (5) of GDPR to not provide a privacy notice to approximately 5.3 million individuals because this would require disproportionate effort.
Whilst the FTT ruled mostly in Experian’s favour, in terms of transparency, they agreed with the ICO’s argument that Experian had not notified individuals that it was processing their data for direct marketing purposes. The FTT has set out requirements for Experian to develop and implement a system to ensure all individuals whose data is obtained from the Open Electoral Register, the Registry Trust Ltd and Companies House are issued with a compliant privacy notice. Experian must also provide a privacy notice to all other relevant individuals within 12 months.
However, there are a number of circumstances where the firm does not need to provide a privacy notice, for example:
- where it obtains data from its credit reference agency business, its consumer services business or its third party commercial suppliers, or
- where it processes data only in connection with its suppression databases or directory enquiry database.
The outcome of this case means Experian will need to notify individuals on a much smaller scale than the ICO had originally requested. It was the FTT’s view that when issuing the enforcement notice, the ICO had not considered certain mitigating factors, including that Experian’s processing of personal data did not result in adverse outcomes for individuals.
Why it matters
The processing of personal data for direct marketing services must adhere to data protection law and be fair and transparent.
In terms of transparency, the FTT found that notice provided through third parties had been sufficient; particularly that the credit reference agency information notice (made available to data subjects) and Experian’s customer information portal (which sets out how Experian uses personal data) together provided individuals with an understanding of Experian’s business.
The FTT noted the challenges of balancing large amounts of privacy information with the intention of being transparent while trying to avoid information overload.
The FTT suggested that only those individuals who express an interest in how their data is used tend to read the whole privacy notice. In Experian’s case there was a sufficiently easy trail to the information if individuals wanted it.
Despite Experian’s reliance on Article 14, the FTT concluded that the firm did violate Article 14 and must now rectify this non-compliance in future personal data collections. It must also stop the processing of personal data that should have been the subject of an Article 14 notice but was not.
This was an interesting appeal brought by Experian, which has shown how consumers can in some cases, benefit from data processing. It was the FTT’s view that it was unlikely that anyone had suffered damage or distress as a result of Experian’s failure to provide an Article 14 notice.
Further information can be found at Tribunal rules on Experian appeal against ICO action | ICO.