Data Privacy Regulation: Looking to 2025 and Beyond

In the complex landscape of risk management, businesses often find themselves at a crossroads when considering insurance options. Two prominent choices emerge: discretionary mutuals and corporate insurance. Each avenue presents distinct advantages and disadvantages, necessitating a thorough understanding to make informed decisions tailored to organizational needs.

The second part in his overview of data privacy then and now, our Data Privacy and Intellectual Property specialist, David McIntosh looks at what is happening now in the UK, US and globally, and what we can see happening in the next few years that will influence our data rights in the future. Hold onto your hats….

In order to understand what may happen in the next few years, it may be helpful to assess the government’s views and aspirations by examining a number of government policy papers. This article isn’t intended to cover the detailed proposals contained within these policies but rather aims to deal with a number of their strategic themes.

As a reminder, the ICO reports into the UK’s Department for Digital, Culture, Media & Sport (DCMS).

In September 2020, DCMS published a policy paper entitled the “National Data Strategy”. This was updated on 9 December 2020.

National Data Strategy

To quote the Minister the Rt Hon. Oliver Dowden CBE MP who was then Secretary of State for DCMS:

“This National Data Strategy aims to… free up businesses and organisations to keep using data to innovate, experiment and drive a new era of growth. It seeks to harness the power of data to boost productivity, create new businesses and jobs, improve public services and position the UK as the forerunner of the next wave of innovation. Under this strategy, data and data use are seen as opportunities to be embraced, rather than threats against which to be guarded…The strategy is a central part of the government’s wider ambition for a thriving, fast-growing digital sector in the UK, underpinned by public trust.”

The Executive Summary states:

“This strategy looks at how we can leverage existing UK strengths to boost the better use of data across businesses, government, civil society and individuals. Having left the European Union, we will take advantage of being an independent, sovereign nation to maximise those strengths domestically, and position ourselves internationally to influence the global approach to data sharing and use”.

Data: A New Direction

On 10 September 2021, DCMS issued for public consultation a further document known as “Data: A new direction”. Consultation formally closed on 19 November 2021 and the government will publish its response shortly.

This new document starts off boldly and it’s difficult to disagree with the introductory sentence:

“Data is now one of the most important resources in the world. It fuels the global economy, drives science and innovation, and powers the technology we rely upon to work, shop and connect with friends and family”.
But the next sentence gives the reader absolutely no doubt what the drivers behind the new data direction are:
“Now that we have left the EU, we have the freedom to create a bold new data regime: one that unleashes data’s power across the economy and society for the benefit of British citizens and British businesses whilst maintaining high standards of data protection.”
The policy, quite properly, goes on to say:

“The protection of people’s personal data must be at the heart of our new regime. Without public trust, we risk missing out on the benefits a society, powered by responsible data use, has to offer. And far from being a barrier to innovation or trade, we know that regulatory certainty and high data protection standards allow businesses and consumers to thrive”.

Delivering on Data

As it could be argued that there is already an international emerging consensus around the maintenance of high global privacy standards, we will need to assess, in the fullness of time, whether the government’s proposals will actually deliver regulatory certainty and high data standards. One of the government’s key proposals is to introduce a new power for the Secretary of State for DCMS to periodically prepare a statement of strategic priorities to which the ICO must have in mind when discharging its functions.

ICO and Government

“The purpose of the [strategic priorities] statement would be to enable the government to identify and convey those domestic and international priorities that form an important context in which the ICO sets its own regulatory priorities. This proposal is comparable to the UK’s wider regulatory regime; similar powers apply to other regulators such as Ofcom, Ofgem, and Ofwat. As an independent regulator, the ICO will not be bound by the statement of strategic priorities. Instead, the ICO will be expected to respond to the statement, and explain whether and how its work addresses the priorities set out by the government. This is not intended to conflict with the ICO’s statutory objectives, duties, functions and tasks, which would take precedence if any conflict were to arise. This is particularly important given the ICO’s role in regulating the public sector and the importance of preserving its independence.”

Contrary to the government’s stated intention, it is in fact very likely that there could indeed be a conflict.

“To address the risks above, the government proposes to establish an independent board and a chief executive officer at the ICO. The board would be led by a chair with non-executive directors. The chief executive officer would have responsibility for the running of the organisation, while answering to the board. The establishment of an independent chair and statutory board will formalise aspects of the ICO’s existing governance arrangements.Constituting a new governance model formally in legislation will create greater clarity and certainty, and allows for the appropriate public appointment processes by the government that are commonplace for UK regulators. This model is considered best practice for regulators in the UK, such as Ofcom and the Financial Conduct Authority, and across OECD countries, delivering reliable decision-making owing to more collegiality, and a greater level of independence and integrity.”

Sincerity and Probity in Whitehall

Clearly we will need to see the draft legislation and/or regulations in due course to assess whether the government can deliver a governance mechanism which guarantees integrity and independence. Readers may find the reference to “integrity” to be a little surprising. Some observers will question the sincerity and probity of a government which was extremely keen to get its desired candidate (an ex-editor of a government-supporting newspaper for more than 25 years) to be interviewed for the hugely important role of the Chair of Ofcom. As reported in The Times, 26 November, “Last week the former Daily Mail editor hit out at the civil service “blob” for frustrating Johnson’s attempts to install him as chairman of Ofcom, the media regulator”.

In response to questions, a spokesperson for DCMS said the recruitment process for the Ofcom Chair role was “fair and open” and that “the process is regulated by the commissioner for public appointments, who is responsible for ensuring that the appointment is made in accordance with strict guidelines.”

Recently, a group of Scottish and Welsh ministers have written to the new Culture Secretary, Nadine Dorries, asking to be included in the process to appoint a new Ofcom chair. The ministers say they are “extremely concerned” about a “perceived lack of impartiality and transparency” in the process.

Long may the civil service “blob” continue to ensure the probity and sanctity of the public recruitment process.

UK Data Protection

The National Data Strategy provides a mechanism for DCMS to approve ICO guidance and to appoint the CEO of the ICO. In my view these would undermine the standing and independence of the ICO which has been the hallmark of its outstanding role since inception.

The ICO was invited, as part of the DCMS consultation, to respond to the DCMS. The ICO’s response and the foreword, in particular, have been written in an exemplary fashion and I recommend that you read it in full. Selected extracts are shown below with certain sections in bold for emphasis.

Foreword from Elizabeth Denham CBE, UK Information Commissioner

The opportunity to reflect on and review the UK data protection legal framework and regulatory regime is a welcome one.

Three years have passed since the introduction of the Data Protection Act 2018, and the pace and scale of innovation means the data landscape has changed significantly. How we deliver high standards cannot be static. Digital technologies are one of the engines driving the UK’s economic growth. The digital sector contributed £151bn in output and accounted for 1.6 million jobs in 2019. In June this year it was announced that the UK now has one hundred tech companies valued at $1bn or more, more than the rest of Europe combined.

It is important government ensures the UK is fit for the future and able to play a leading role in the global digital economy. I therefore support this review and the intent behind it.

As the proposals are developed, the devil will be in the detail. It will be important that Government ensures the final package of reforms clearly maintain rights for individuals, minimise burdens for business and safeguard the independence of the regulator.

Despite this broad support for the proposals to reform the ICO’s constitution, there are some important specific proposals where I have strong concerns because of their risk to regulatory independence. For the future ICO to be able to hold government to account, it is vital its governance model preserves its independence and is workable, within the context of the framework set by Parliament and with effective accountability. The current proposals for the Secretary of State to approve ICO guidance and to appoint the CEO do not sufficiently safeguard this independence. I urge Government to reconsider these proposals to ensure the independence of the regulator is preserved.

Recognition of the ICO as a strong, independent regulator is also important in how the UK is seen globally. As Chair of the Global Privacy Assembly I have seen first-hand a clear trend towards high standards of data protection around the world. I welcome the recognition of the value of our high data protection standards in international trade. These standards make it easier to sell products and services. This is good for the public and good for business. Any reforms to the UK data protection regime should therefore always be weighed in terms of their impact on the ease with which data is able to flow between international jurisdictions.

The observations set out in this consultation response are based on our experience of dealing directly with how data protection law impacts people and business. My office has carried out a great deal of work to provide regulatory clarity to businesses through our extensive guidance and tools, as well as initiatives like our regulatory sandbox and grants programme. We also have strong insight into the concerns faced by the public and the regulatory challenges faced by small and medium sized organisations through the hundreds of thousands of calls and enquiries our teams respond to each year.

Data protection is not just an academic exercise, or the province of regulators or data protection officers. It matters to all of us, and has the power to affect every aspect of our lives. I, and my office, remain committed to supporting the Government to ensure a data protection framework that works for everyone, and is fit for both the challenges and the opportunities ahead. The ICO has provided support throughout the development of these proposals, and stands ready to implement the reforms that Parliament decides upon”.

Elizabeth Denham CBE, UK Information Commissioner.

In stark contrast to the carefully curated words of DCMS staff in preparing the DCMS consultation papers, it’s not that difficult to ascertain the government’s true intentions in perhaps less scripted, “sound-bite” comments from Oliver Dowden, ex Culture Secretary, calling for rules based on “common sense, not box ticking”.

“The freedom to chart its own course could lead to an end to irritating cookie popups and consent requests online”….Now that we have left the EU I’m determined to seize the opportunity by developing a world-leading data policy that will deliver a Brexit dividend for individuals and businesses across the UK”.

A further comment on the government’s aspiration to have a bonfire of regulations (and in this context to decrease the perceived “bureaucracy” associated with GDPR) is that companies with a trading footprint across the globe will, if the UK develops different standards, also be required to meet EU standards in any event, thereby increasing the burden, not reducing it.

*bold emphasis added into quotations

The UK’s data privacy journey arguably started off in 1984 with the passing of the 1984 Act. Could we end up in 2024 with an Orwellian version of a new privacy regime that potentially lowers standards and permits the sale of our data to the highest bidder or to data analytics companies with close connections to government and/or a particular political party?

The National Data Guardian declined to endorse NHS England’s effort to be transparent with its recently published detail on data flows from a patient medical information project that put US spy-tech firm Palantir at the heart of the government’s response to the pandemic.

The COVID-19 data store was launched in 2020 and would pull together medical and operational data about the spread of the virus.

Campaigners forced the government to publish details of the contract supporting the project awarded to AWS, Microsoft, Google, Brexit-linked analytics firm Faculty, and Palantir, whose technology has been employed by the CIA and controversial US immigration agency ICE”.

Researchers at NHS England are being denied access to datasets on the Palantir platform which supports the COVID-19 data store, with no reason given, despite requests for greater transparency on the system.

According to documents seen by The Register, some staff at the nondepartmental body of the Department for Health and Social Care (DHCS) are concerned about the lack of clarity when requests are made for data sets on the system built on Palantir’s Foundry platform.

Some requests for data are ignored, with no information given in the fields for “decision maker” or “decision reason,” according to screengrabs seen by El Reg”.

Staff we have spoken to point to the fact that while data is pseudonymised – where personal details are given an anonymous marker – individual patient records can be reconstructed by triangulation over several data sets or reintegration with the original marker set. For example, the Personal Demographics Service, controlled by NHS Digital, another non-departmental body of DHCS, can link NHS numbers to patient names and addresses.

Members of technical teams at NHS England have told The Register they see little or no functionality in the Palantir Foundry platform that is not already available with open-source data warehousing and analytics tools.

NHS England was also asked for a response to the information about its relationship with Palantir, as well as transparency of the Foundry system.

Campaigners fought for greater transparency over Palantir’s involvement with the NHS and its COVID-19 data store since its role in the pandemic response first emerged in March 2020.

Palantir was named along with fellow providers Microsoft, Google, and AWS, as well as Faculty, a UK analytics firm with links to the Vote Leave Brexit referendum campaign

How Palantir is quietly extending its reach through the British state (article on newstatesman.com)

Readers are recommended to read the full article in the link above; extracts are shown below.

“New Statesman analysis shows Palantir has now secured more than £83m of government and NHS deals in the UK. Yet as the company carves out a larger role for itself in Whitehall and the wider public sector, the government stands accused of keeping the public in the dark about how it intends to work with Big Tech in the years ahead.

Palantir’s software provides a platform through which users can access, analyse and link together databases, imagery and various other forms of structured and unstructured data. It has been used by banks to identify staff who might go rogue, US police departments to predict potential perpetrators of crime and immigration officials to track down migrants.

Since the start of the pandemic, the company has been expanding its role in healthcare organisations, including the NHS. In March, Palantir was enlisted, alongside other tech firms, to provide the data infrastructure required to enable the NHS to predict demand on hospitals around the country and distribute resources such as PPE and ventilators accordingly. Palantir committed 45 forward-deployed engineers to the project, dubbed the “Covid-19 data store”, in return for just £1.

Within weeks the contract, which never went to competitive tender, had been extended for four months at a cost of £1m.

When we reported the value of the extended contract in July, NHS England said it had asked Palantir to “package up the work they’ve been doing so the service can go out to tender in an open procurement process”. But observers were concerned at the time that some firms would be deterred from tendering for the contract. When NHS England announced its plans to extend the contract further in September, it did so in a way that meant it didn’t need to hold a competitive tender.

Concerned by the lack of transparency around the work, the tech justice organisation Foxglove and the news site OpenDemocracy threatened to take legal action. “OpenDemocracy (the claimant) and Foxglove (their support) believe that such a fundamental change to the NHS requires a public consultation, under the NHS Act (and other law),” Cori Crider, the founding director of Foxglove, told the New Statesman in mid-December. “It’s for them to decide whether to share the details of their legal defence, whatever it is, but basically they don’t agree with us. They haven’t consulted, haven’t agreed with our urging in correspondence to consult, and there’s no sign they intend to.”

Has the NHS learned a lesson from its experience here? Palantir: NHS says future deals ‘will be transparent’. BBC article

What can we expect from Nadine Dorries, the new DCMS Secretary and ex-“I’m a Celebrity” contestant known for her populist language, including “left-wing snowflakes” and amongst other colourful expressions? Watch this space.

Welcome to the brave new world of privacy regulation, or the lack thereof, in the UK. This is what is happening now, regardless of government’s aspirations set out in its consultation documents.

Is there a glimmer of hope on the horizon?

“The United States, through the National Science Foundation (NSF) and National Institute of Standards and Technology (NIST), and the United Kingdom will collaborate on bilateral innovation prize challenges focused on advancing privacy-enhancing technologies (PETs). PETs present a technological opportunity to harness the power of data in a secure manner that protects privacy and intellectual property, enabling cross-border and cross-sector collaboration to solve shared challenges. PETs are already being used to enable the use of data to drive solutions in ways that preserve privacy, thereby tackling a range of societal challenges, from financial crime to Covid-19. The bilateral prize challenges will strive to mature PETs and accelerate their adoption for a range of practical use cases. Building on decades of investment in PETs, NSF and NIST are leading the interagency initiative to jointly develop the challenges with a team of specialists from across the UK government led by the UK Centre for Data Ethics and Innovation.”

Time will tell. Thanks to Caitlin Fennessy and Katharina Koerner from the IAPP for the LinkedIn alert on this item.

What's Happening in the United States?

This “US State Privacy Legislation Tracker,” produced by the International Association of Privacy Professionals, originally appeared in the IAPP Resource Center. It is reprinted with permission.

Across the Atlantic, what’s happening with data privacy in the United States, our closest ally and one of our largest trading partners. The privacy tracker (above) compiled by the International Association of Privacy Professionals (IAPP) shows the evolving position of US States which 1) have already put legislation in place, not many, and led by California, 2) those States where legislation is effectively stuck at Committee stages, and 3) a significant number of States which haven’t passed legislation or where there is currently no legislation in the pipeline.

The prospect of US Federal legislation on privacy is theoretically possible, but is some way off and may depend on whether those States, where matters have stalled in committee or which have shown no interest to date, are influenced by developments in California. The privacy tracker is updated periodically by IAPP when there is some movement, so if you would like to see the latest version, please contact us.

What's Happening Globally?

Reproduced with the permission of David Banisar.

According to David Banisar ARTICLE 19: Global Campaign for Free Expression, article published August 30, 2021,

nearly 140 countries and self-governing jurisdictions and territories around the world (118 UN Member States, and 20 self-governing jurisdictions) have now adopted comprehensive data protection/ privacy laws to protect personal data held by private and public bodies. Another 30 countries and jurisdictions…have pending bills or initiatives…In nearly all the countries, an independent data protection or information commission oversees and enforces the laws”.

Not every jurisdiction on this list of 140 will have protections in place close to those of GDPR, though it’s clear that the number of countries and jurisdictions wanting to join the global data community is increasing.

Conclusion

With a few notable exceptions, western democracies are coalescing around having high data protection standards though the UK’s ambivalence in its recent policy announcements suggests that Global Britain is determined to pursue its own path.

I would like to conclude by adopting the words of Elizabeth Denham:

“I welcome the recognition of the value of our high data protection standards in international trade. These standards make it easier to sell products and services. This is good for the public and good for business. Any reforms to the UK data protection regime should therefore always be weighed in terms of their impact on the ease with which data is able to flow between international jurisdictions….Data protection is not just an academic exercise, or the province of regulators or data protection officers. It matters to all of us, and has the power to affect every aspect of our lives”.

About the Author

David McIntosh was admitted as a Solicitor in 1988 and is a highly experienced commercial projects lawyer who has advised clients in a number of different fields including intellectual property, data privacy, procurement law (both public and private), manufacturing, distribution, information governance and general regulatory matters covering both the nuclear and pharmaceutical sectors.

Prospect Law is a multi-disciplinary practice with specialist expertise in the energy, infrastructure and natural resources sectors with particular experience in the low carbon energy sector. The firm is made up of lawyers, engineers, surveyors and other technical experts.

This article remains the copyright property of Prospect Law Ltd and Prospect Advisory Ltd and neither the article nor any part of it may be published or copied without the prior written permission of the directors of Prospect Law and Prospect Advisory.

This article is not intended to constitute legal or other professional advice and it should not be relied on in any way.

For more information or advice on data protection or intellectual property issues please contact David McIntosh on dmc@prospectlaw.co.uk or +44 (0) 7483 300 132.