United Kingdom

On 3 October 2023, the UK Information Commissioner’s Office (“ICO”) finalized its Employment practices and data protection − Monitoring workers guidance (“Guidance”) to account for new types of work, including work from home, and the use of more sophisticated technologies for monitoring. In November 2022, we published a detailed blog post on the ICO’s public consultation.

The finalized Guidance is aimed at employers. It does not prevent employers from engaging in monitoring; rather, it sets out how they can do so in compliance with data protection law.  The Guidance defines “monitoring workers” as “any form of monitoring of people who carry out work on [an employer’s] behalf” and can include “monitoring workers on particular work premises or elsewhere” both during and outside working hours. The Guidance is clear that it applies to homeworking.  It also applies to a range of monitoring technologies and purposes, including (but not limited to) technologies for monitoring timekeeping or access control; keystroke monitoring to track, capture and log keyboard activity; and productivity tools which log how workers spend their time.

Continue Reading UK Information Commissioner’s Office Releases New Guidance for Monitoring at Work

On 12 September 2023, the UK Information Commissioner, John Edwards, and the Chief Executive of the National Cyber Security Centre (“NCSC”), Lindy Cameron, signed a joint memorandum of understanding (“MoU”) detailing how the Information Commissioner’s Office (“ICO”) and NCSC will work together moving forward.

The MoU does not create legally binding obligations between the ICO and NCSC, but provides a strong signal of intent for areas of cooperation.  The statements about information sharing and engaging with NCSC leading to potentially reduced fines under the UK GDPR are likely to be of particular interest to commercial organizations.

Continue Reading ICO Encourages Organizations To Cooperate with NCSC and Flags Potential Reduction in Fines

On 29 March 2023, the UK Information Commissioner’s Office (“ICO”) published updated Guidance on AI and data protection (the “Guidance”) following “requests from UK industry to clarify requirements for fairness in AI”. AI has been a strategic priority for the ICO for several years. In 2020, the ICO published its first set of guidance on AI (as discussed in our blog post here) which it complemented with supplementary recommendations on Explaining Decisions Made with AI and an AI and Data Protection risk toolkit in 2022. The updated Guidance forms part of the UK’s wider efforts to adopt a “pro-innovation” approach to AI regulation which will require existing regulators to take responsibility for promoting and overseeing responsible AI within their sectors (for further information on the UK Government’s approach to AI regulation, see our blog post here).

The updated Guidance covers the ICO’s view of best practice for data protection-compliant AI, as well as how the ICO interprets data protection law in the context of AI systems that process personal data. The Guidance has been restructured in line with the UK GDPR’s data protection principles, and features new content, including guidance on fairness, transparency, lawfulness and accountability when using AI systems.

Continue Reading UK ICO Updates Guidance on Artificial Intelligence and Data Protection

The UK Information Commissioner’s Office (“ICO”) recently published detailed draft guidance on what “likely to be accessed” by children means in the context of its Age-Appropriate Design Code (“Code”), which came into force on September 2, 2020. The Code applies to online services “likely to be accessed by children” in the UK. “Children” are individuals under the age of 18. In order to determine whether an online service is “likely to be accessed” by children, companies must assess whether the nature and content of the service has “particular appeal for children” and “the way in which the service was accessed”. This new draft guidance provides further assistance on how to make this assessment, and is undergoing a public consultation until May 19, 2023.

Continue Reading UK ICO Provides Guidance On When A Service Is “Likely To Be Accessed By Children” And Needs To Comply With Its Age-Appropriate Design Code

On 18 July 2022, following its recent response to the public consultation on the reform of UK data protection law (see our blog post on the response here), the UK Government introduced its draft Data Protection and Digital Information Bill (the “Bill”) to the House of Commons.

The Bill is 192 pages, and contains 113 sections and 13 Schedules, which amend and sit alongside existing law (the UK GDPR, Data Protection Act 2018 (“DPA”), Privacy and Electronic Communications Regulations 2003 (“PECR”), the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, etc.). Some readers’ immediate reaction might be to query whether the Bill will simplify the legislative framework for businesses operating in the UK and facilitate the goal of the Information Commissioner to provide “certainty” for businesses. Time will tell. The Government’s publication of a Keeling Schedule (essentially a redline of the UK GDPR and DPA 2018 showing the changes resulting from the Bill), expected in the Autumn, will be welcome.

Much of the content of the Bill was previewed in the Government’s consultation response and include proposed changes that are designed to try to reduce the administrative burden on business to some extent.  The Bill is by no means a radical departure from existing law, however, and in some key areas – such as data transfers – the law will essentially remain the same.  But we now have additional important details on proposed changes to UK data protection law, and we set out in this post our immediate thoughts on some details that are worth highlighting.

Continue Reading A Cautious Approach: the UK Government’s Data Protection and Digital Information Bill

In October 2019, the UK and U.S. Governments signed an agreement on cross-border law enforcement demands for data from Communication Service Providers (the “Agreement”, which we described in our earlier post here). Only now, however, have the two countries completed the procedural steps required to bring the Agreement into force. On July 21, 2022

The UK Government recently published its long-awaited response to its data reform consultation, ‘Data: A new direction’ (see our post on the consultation, here).

As many readers are aware, following Brexit, the UK Government has to walk a fine line between trying to reduce the compliance burden on organizations and retaining the ‘adequacy’ status that the European Commission granted in 2021 (see our post on the decision, here).

While we’ll have to wait to review the detail of the final legislation, we outline below some of the more eye-catching proposals for reform.

Continue Reading 8 Eye-catching Reforms in the UK Government’s Response to its Public Consultation on Data Protection Law

The UK Government has issued a “call for views” on the current level of physical, technical and organizational security provided by data center operators (i.e. colocation service providers, not businesses that operate their own data centers) and cloud service providers (including providers of infrastructure-as-a-service, platform-as-a-service, and managed services). The Government intends to use

On May 10, 2022, Prince Charles announced in the Queen’s Speech that the UK Government’s proposed Online Safety Bill (the “OSB”) will proceed through Parliament. The OSB is currently at committee stage in the House of Commons. Since it was first announced in December 2020, the OSB has been the subject of intense debate and scrutiny on the balance it seeks to strike between online safety and protecting children on the one hand, and freedom of expression and privacy on the other.

Continue Reading Online Safety Bill to Proceed Through Parliament

In the Queen’s Speech on 10 May 2022, the UK Government set out its legislative programme for the months ahead. This includes: reforms to UK data protection laws (no details yet); confirmation that the government will strengthen cybersecurity obligations for connected products and make it easier for telecoms providers to improve the UK’s digital infrastructure; and new rules to enable the use of self-driving cars on public roads. In addition, the government confirmed its plans to move forward with the Online Safety Bill. As part of the government’s broader agenda to “level up” the UK and provide a post-Brexit economic dividend, many of the legislative initiatives referenced in the Queen’s Speech are presented as seeking to encourage greater use of data and technology to support innovation and enable growth.

We summarize below the key digital policy announcements in the Queen’s Speech and how they fit into wider developments in the UK’s regulatory landscape.

Continue Reading UK Privacy and Digital Policy & Legislative Roundup