Welcome to our Spring 2021 Data & Privacy eBulletin, where we look at the development of international transfer positions in the UK since Brexit, the Age Appropriate Design Code, an update on the Lloyd v Google case, a look into the proposed EU AI regulation and other news in briefs.

MEPs urge the EC to amend draft decisions on UK adequacy echoing concerns raised in EDPB opinions

On 13 April 2021, the European Data Protection Board (EDPB) adopted two opinions on the European Commission’s (EC) two draft decisions relating to the transfers of personal data from the EU to the UK, released earlier this year.

Progress on the UK’s adequacy assessment could however be undermined by a recent call from Members of the European Parliament (MEPs) to amend the EC’s draft decisions on UK data protection. The Civil Liberties Committee recently passed a resolution evaluating the EC’s approach on the adequacy of the UK’s data protection regime. Concerns relate to the UK’s exemptions for national security and immigration and position on onward transfers, largely echoing the concerns raised in the EDPB opinions. The draft resolution will be debated and put to the vote during next week’s plenary session, together with a discussion of the ‘Schrems II’ ruling concerning data transfers from the EU to the US.

Read more on what the EDPB opinions say and what happens next in our full article here.

Countdown – age appropriate design code

September 2021 is the fast arriving implementation deadline for the Age Appropriate Design Code.

The Children’s Code is a statutory code of practice that applies to organisations providing online services and products targeted at, or likely to be accessed by, anyone under 18.

Under the Code, organisations are required:

• to switch off privacy-intrusive settings by default (e.g. location) and ensure other settings are ‘high privacy’ by default;
• not to deploy ‘nudge’ techniques or tools which might encourage children to turn off or weaken their privacy settings;
• provide prominent, accessible and user friendly privacy tools to enable children to exercise their rights and report concerns;
• provide concise and prominent privacy information to users which is in clear language and formats suited to the age of the child (including information about any parental controls or monitoring); and
• to collect and retain only the minimum amount of personal data necessary.

If your service is for, or is likely to be accessed by, children you will need to take steps to comply with the Children’s Code before 2 September 2021.

You can see our previous Data & Privacy eBulletin here, where we take a deeper look at the Children’s Code.

GDPR-style AI regulation proposed by the European Commission

The European Commission (EC) proposes ‘the first-ever legal framework on AI’ governing the placement of AI on the market, putting AI into service and general post-market monitoring obligations – the AI Regulation.

Generally, the AI Regulation places obligation on various players in the AI landscape and lays out a structure for governance and enforcement, in a format largely similar to those imposed by the EU GDPR.

Read more on the rules and implications in our full article here.

Supreme Court hears key Data Protection Act ‘representative claims’ appeal by Google

At the end of April, the Supreme Court heard an important appeal by Google in the Lloyd v Google case over whether ‘representative’ claims for breaches of the Data Protection Act (DPA) 1998 can be brought on behalf of other unidentified members of a ‘class,’ and whether damages are available to them under section 13 of the DPA 1998.

You can find out more about the implications here.

News in brief

ICO is working on UK set of Standard Contractual Clauses (SCCs) This summer, the ICO intends to consult on a set of UK SCCs that it has prepared for international data transfers from the UK. The EU SCCs are also being updated separately and are expected in the coming weeks. Meanwhile, the ICO is confident that the UK’s EU adequacy assessment can be completed by the end of the UK bridging mechanism period. New cyber security laws to protect smart devices The Government plans to enact legislation that requires manufacturers of smart devices to inform customers upfront of how long the device will receive security software updates. The new law will also include a ban on manufacturers using default, easily guessable passwords as part of a smart device’s factory settings. The legislation is part of the Government’s efforts to tackle cyber security threats in an increasingly digitalised world and keeping the UK safe and secure online as we emerge out of the pandemic. Internet of Secure Things (IoXT) Alliance, a tech association whose memberships include Google, Amazon and Facebook, has welcomed the proposed legislation. The Alliance recognises that these are important to protect customers and the businesses that use them. The Council of the EU under Portuguese presidency has updated the draft ePrivacy Regulation While no substantial changes have been made to the conceptual framework of the draft ePrivacy Regulation, the amendments aim to simplify its text and promote further consistency with the EU GDPR. The amendments reinsert previously deleted provisions that allow the processing of electronic data for purposes compatible with the initial purpose of data collection. They also authorise service providers to process electronic communication data for the performance of a contract for the purposes of providing an electronic communication service rather than for the purposes of archiving only. If necessary, service providers can also access data on end-users’ devices for the performance of a contract.