There have been many headlines today about the UK Government’s plans to reform UK data protection law. We are still reviewing the (near 150-page) consultation document, but set out below a dozen proposals that we thought might pique the interest of readers of our blog.
Continue Reading 12 Eye-Catching Proposals In The UK Government’s Plan To Reform UK Data Protection Law

On 2 September 2021, the transition year for the Children’s code (or Age Appropriate Design Code) published by the UK Information Commissioner (“ICO”) ended. The ICO’s Children’s code was first published in September 2020, with a 12-month transition period. In an accompanying blog, the ICO has stated that it will be “proactive in requiring social media platforms, video and music streaming sites and the gaming industry to tell [the ICO] how their services are designed in line with the code.”

Over the summer, the ICO has also approved two certification schemes under the UK GDPR. The certification schemes provide organizations with a mechanism to demonstrate their high level of commitment to data protection compliance.


Continue Reading UK ICO’s Children’s Code Transition Year Ends and ICO Approves Related Certification Schemes

On 26 August 2021, the UK Government unveiled a package of announcements which effectively set out its post-Brexit data strategy.

This blog looks at the politics around the costs and benefits of a Brexit divergence dividend in this sector, which the UK Government views as a key area of competitive advantage.
Continue Reading Data Divergence: A Brexit Dividend?

On August 11, 2021, the UK Information Commissioner’s Office (“ICO”) opened a public consultation to solicit stakeholder input regarding the UK’s approach to regulating international transfers of personal data under the UK General Data Protection Regulation (“UK GDPR”) (see here).  To kick off this initiative, the ICO published a consultation paper setting out various policy options that the UK is considering, as well as:

  • a draft set of contractual templates to facilitate transfers of personal data outside the UK, including: (1) a draft international data transfer agreement (“IDTA”); and (2) a draft international transfer addendum to be appended to the recently approved EU standard contractual clauses (“EU Addendum”); and
  • a draft transfer impact assessment tool designed to help controllers and processors transferring personal data under the UK GDPR satisfy the requirements articulated by the Court of Justice of the European Union (“CJEU”) in the Schrems II decision (see here).

The ICO has requested that interested stakeholders submit their feedback by no later than October 7, 2021.  In this blog post, we summarize these documents and tools, and identify topics that interested stakeholders may want to address when preparing their submission to the public consultation.


Continue Reading UK Information Commissioner’s Office Opens Public Consultation on Policy Proposals and Documentation for International Transfers

With the rollout of COVID-19 vaccination programs across the EU and the UK, employers are faced with questions about whether or not they are legally permitted to ask employees about their vaccination status and, if so, how that information may be used.

Employers may wish to inquire about the vaccination status of their employees in order to comply with their general obligation to ensure a safe workplace and minimize the risk of exposure to COVID-19.  This raises privacy issues under the General Data Protection Regulation (“GDPR”), because employees’ vaccination status falls within a special category of personal data that concerns the health of individuals (Art. 9(1)).  This category is subject to more stringent data protection measures due to the sensitive and personal nature of data, and can only be processed in very limited circumstances (Art. 9(2)).


Continue Reading COVID-19: Processing of Vaccination Data by Employers in Europe

In this blog post, we look at a recent decision by the UK Court of Appeal and a separate prosecution brought by the Information Commissioner’s Office (“ICO”; the UK data protection authority), which together serve as a cautionary tale for employees and prospective future employers of the risks of civil liability and criminal conviction for confidential information and data theft.

Clear contractual terms and policies, supplemented by training, remain critical tools for employers seeking to deter employees from misappropriating corporate information.  Employers may wish to make use of these examples to underscore the importance of compliance.


Continue Reading Employee Confidentiality and Data Theft: Recent UK Developments

On January 6, 2021, the UK’s AI Council (an independent government advisory body) published its AI Roadmap (“Roadmap”). In addition to calling for a  Public Interest Data Bill to ‘protect against automation and collective harms’, the Roadmap acknowledges the need to counteract public suspicion of AI and makes 16 recommendations, based on three main pillars, to guide the UK Government’s AI strategy.

Continue Reading AI Update: The Future of AI Policy in the UK

In April 2019, the UK Government published its Online Harms White Paper and launched a Consultation. In February 2020, the Government published its initial response to that Consultation. In its 15 December 2020 full response to the Online Harms White Paper Consultation, the Government outlined its vision for tackling harmful content online through a new regulatory framework, to be set out in a new Online Safety Bill (“OSB”).

This development comes at a time of heightened scrutiny of, and regulatory changes to, digital services and markets. Earlier this month, the UK Competition and Markets Authority published recommendations to the UK Government on the design and implementation of a new regulatory regime for digital markets (see our update here).

The UK Government is keen to ensure that policy initiatives in this sector are coordinated with similar legislation, including those in the US and the EU. The European Commission also published its proposal for a Digital Services Act on 15 December, proposing a somewhat similar system for regulating illegal online content that puts greater responsibilities on technology companies.

Key points of the UK Government’s plans for the OSB are set out below.


Continue Reading UK Government Plans for an Online Safety Bill

Over the past 9 months, the UK has been hammering out the shape of its future trading relationship with the EU, as well as many others, and there apparently are signs of progress in the past few days as a result of intensified talks between the two sides. Some are reporting a deal will be

The English High Court has recently awarded damages in a data privacy case, with two features of particular interest.  First, the nature of the claim is more reminiscent of a claim in defamation than for data privacy breaches, which is a development in the use of data protection legislation.  Secondly, the damages awarded (perhaps influenced by the nature of the case) were unusually high for a data privacy case.

The decision highlights an unusual use of data protection in English law, as a freestanding form of quasi-defamation claim, as the claimants sought damages for reputational harm (as well as distress) solely under the Data Protection Act 1998 (the “DPA”, since replaced by the Data Protection Act 2018, which implemented the General Data Protection Regulation ((EU) 2016/679) (GDPR) in the UK) rather than in a libel or defamation claim, or in parallel with such a claim.  It also sets a potentially unhelpful precedent by awarding two of the claimants £18,000 each for inaccurate processing of their personal data, an amount that is significantly higher than has been awarded in other data protection cases brought under the DPA.  If such awards were to be made in the context of a class action, the potential liability for data controllers could be significant.
Continue Reading English High Court Awards Damages for Quasi-Defamation Data Claim