Data Regulatory Trends in the UK – Change is Afoot Post-Brexit

BrexitBy Larry Buzecky, AEM Vice President of Business Intelligence —

This is part two in a two-part series of articles analyzing data regulatory trends and their potential impacts. Read part one here.

In January 2020, the United Kingdom (UK) broke away from the European Union (EU), triggering a major review of its trade agreements and regulatory frameworks. Data, like any other valuable, portable asset, was impacted as well.

Harriet Jones, a UK Solicitor since 2008 and current Partner at UK-based IBB Law since 2016, experienced the impact directly. She now helps her clients chart a data regulatory compliance course through a post-Brexit landscape, and she shared her insights on important current trends.

“Time for a change.”

When the UK was part of the EU, it needed to comply with the General Data Protection Regulation (GDPR), the framework that covers data protection and privacy for EU citizens. Under GDPR, restrictions were put into place involving transfers of personal data outside the European Economic Area (EEA), or the protection of the GDPR, with only a limited number of exceptions allowed.

Jones noted that the UK is very active on a global scale in terms of international data transfers and is still heavily influenced by the EU approach. In a copy of how things function under the EU regime, international transfers from the UK require an adequacy ruling in terms of data protections in place by the receiving country or incorporating standard contractual clauses (SCCs) into contracts for international transfers for sufficiency. This does, however, create headaches for UK businesses, and Parliament is proposing to lighten the burden.

Relying solely on SCCs comes with risk – the implication of such clauses may not be appreciated by the businesses in the other countries, so the UK business may still need to carry out quite a lot of practical due diligence to satisfy the requirements that it has considered the risks of sending data to the third country. Thus, the UK has begun to move toward allowing businesses to determine for themselves whether any clauses should be incorporated pertaining to their data transfers – what is being referred to as a risk-based approach to international transfers. But businesses really do need to ensure data protection adequacy is met if business opt out of contractual clauses.

Of note, no state in the U.S. currently has an adequacy ruling from the EU or the UK.

Another change that is being proposed by the UK government is in relation to subject access requests: prior to GDPR, a company could charge a nominal fee to an individual if they requested their personal data. With GDPR came the elimination of this fee except in very limited circumstances.

Consequently, websites sprung up that provided templates to disgruntled customers on how to request their personal data from, costing businesses time and money.

“There are limited grounds for refusing these requests,” said Jones. “The current test for response is whether the request is ‘excessive or manifestly unfounded.’” If so, a business can refuse the request or charge a fee for responding. But this test is rather rigidly defined and there is a new proposal from the government, where “manifestly unfounded” is being replaced by the concept of “vexatious.” Refusal to comply with a vexatious request allows for more latitude for subjectivity, would allow businesses to refuse or charge for these data requests, which might be helpful to businesses on the receiving end of these template requests, but it further propels the UK away from the GDPR framework.

 

 Jones

“The UK treats the U.S. as lots of different countries, and our hands are so full with the EU that it’s hard to focus on the U.S.” -- IBB Law's Harriet Jones

 

“Isn’t all this stuff for the big companies anyway?”

Jones noted that there is still general ignorance or lack of awareness among a range of company sizes about data protection requirements. Business have been slow to hire for in-house compliance or develop in-house compliance teams.

They also struggle with contract language translations for international transfers. “These other countries wonder why the UK is being so pedantic about clauses,” said Jones.

“Contracts,” she continued, “need to drive toward a finish line and, ultimately, data regulatory compliance becomes an afterthought. But standard contractual clauses are a must - you must demonstrate compliance.”

Big businesses are starting to understand their obligations better – to a point. The UK’s Information Commissioner's Office (ICO), the UK’s independent authority that oversees data privacy protection for individuals, has been posting larger fines, which has been waking businesses up to their liability exposure. This came after a lull in ICO enforcement leniency during the COVID crisis.

A well-known case involves Halfords, a large UK retailer of automotive and cycling products. They had sent out approximately 500,000 unsolicited emails, causing numerous complaints from consumers, and the ICO came knocking. To Halfords’ credit, they cooperated with the ICO investigation and ultimately only paid £30k in fines, but Jones notes that the amount of management time and resource required to investigate and cooperate with the ICO will undoubtedly have been significant.

But the biggest fines command the biggest headlines. In 2021 alone, GDPR fines levied included an Amazon fine for €746 million ($823.9 million), WhatsApp for €225 million ($247 million), Facebook for €60 million ($66 million), and Google for €50 million ($55 million).

Direct marketing is of major interest to the ICO, noted Jones, because “…this is where the most complaints are generated. And this becomes part of the corporate data risk assessment – which of my actions will generate the most complaints?”

“Is technology my biggest risk here? What other risks should I know about?”

Jones conceded that technology is running away from businesses, and it’s hard for businesses to keep up. “It’s the biggest risk for business,” she observed. “If you’re changing up your IT, this risk should be in the forefront of your minds in terms of data, particularly if new software is being considered.”

But other risks pose threats, such as during a merger. Noted Jones, “When you’re putting data sets together, you should evaluate if your data sources are compatible. How do you integrate them? The risk also exists as merged companies look for synergies, and that’s when an impact assessment needs to be run. This is a massive issue for law firms.”

The Data Protection Impact Assessment (DPIA) is “…a process designed to help you systematically analyze, identify and minimize the data protection risks of a project or plan. It is a key part of your accountability obligations under the UK GDPR, and when done properly helps you assess and demonstrate how you comply with all of your data protection obligations,” as stated on the relevant ICO web page.

Another risk that has arisen involves businesses failing to offer cookie acceptance banners on their websites. “They disappeared from the UK for a while,” said Jones, “but now they’re back because of the ICO’s revitalized scrutiny post-COVID.”

Recognizing this opportunity, individuals are pursuing prosecution against businesses that do not have cookie banners in place. “Litigants are saying you can pay us off and we’ll go away. This is ransom,” said Jones.

What about the U.S.?

As noted earlier, there is no blanket adequacy ruling for any state in the U.S., therefore the UK is not paying close attention to data regulatory trends in this country.

Jones acknowledged that the UK will have to look at what state they are dealing with in the U.S. on a case-by-case basis. “The UK treats the U.S. as lots of different countries,” she said, “and our hands are so full with the EU that it’s hard to focus on the U.S.”

A very special thanks to Harriet Jones for her perspective and insights.

Subscribe to the AEM Industry Advisor for more AEM staff perspectives.

×