Data Protection and Digital Information Bill 2.0
March saw the UK Government recommence its efforts to reform the UK data regime by introducing the aptly named "Data Protection and Digital Information Bill (No.2)" to Parliament on 8 March 2023. The second draft bill supersedes the original version that was paused in September to allow ministers to rethink their approach and engage in a co-design process with businesses, promising a more "tailored", "truly bespoke" and "business friendly" British system of data protection. Despite ministers hinting that significant amendments would be made to the draft text, the second draft bill largely serves to fine tune and clarify a number of the proposed amendments set out in the first draft bill to existing UK data protection laws. Refer to our blog here for further details of the changes proposed in the second draft.
Spotlight on AI Regulation
March also saw a flurry of activity at the UK and EU levels around AI-specific regulation. The Department for Science, Innovation and Technology ("DSIT") published its long awaited white paper on the UK's approach to regulating AI technologies. Against the backdrop of a pro-innovation Spring Budget 2023, the proposals in the AI regulation white paper aim to help create the "right environment for artificial intelligence to flourish safely in the UK", taking an "adaptable approach" to future proof regulation by empowering existing regulators to tailor context-specific and sector-led approaches in line with five common principles. The government intends to avoid introducing both a new single regulator for AI governance or heavy-handed legislation, an approach that is distinct from the European Commission's comprehensive centralised legislative framework in the draft EU AI Act which is set to undergo a vote by the European Parliament's IMCO (Internal Market and Consumer Protection) and LIBE committees towards the end of April.
In parallel the UK ICO updated its "Guidance on AI and Data Protection" in response to industry feedback, to keep pace with new challenges and opportunities presented by AI and underpin the ICO's commitment as part of its ICO25 strategic plan – areas of interest include new chapters / additions on transparency in AI, assessments in DPIAs, ensuring fairness in AI and lawfulness in AI. The Italian data supervisory authority – Garante – also introduced a temporary ban on chatbot, ChatGPT, and launched an investigation into its provider, OpenAI, for suspected breaches of the EU GDPR and failing to implement age verification systems.
Data Act developments
The EU has continued to progress the regulation of data beyond just "personal data". The European Commission's proposed EU Data Act aims to establish a harmonised cross-sectoral governance framework to make it easier for business to access and use non-personal data – this has potential to fundamentally change the environment for data-driven business models in the EU, including where data is used for AI purposes. During March 2023 the European Parliament plenary session adopted its position on the proposed EU Data Act, including additions intended to give individuals greater control over their non-personal data and to incentivise data-sharing. Other additions by the European Parliament include strengthening protections to stop organisations using accessed data to retro-engineer competitors' products and putting stricter conditions on data that governments are entitled to request from organisations.
The European Council (comprising each of the member states) also adopted its position on the Data Act shortly after, setting out various changes in its negotiating mandate as well, including around the interaction between the proposed Data Act and existing data protection law, and the rules on switching between data processing services such as cloud computing services. Trilogue negotiations between the European Parliament, the European Council and the European Commission (the latter will be consulted) are now set to begin in the coming weeks.
One stop shop overhaul
The European Commission is planning to make cross-border enforcement of the EU GDPR more efficient, including harmonising aspects of the administrative procedure that data protection authorities apply across the EU when enforcing the EU GDPR in cross-border cases. Inconsistencies and lack of harmonisation across member states in the one-stop-shop process are thought to have been an issue for quite some time and the European Commission intends to support smoother functioning of the GDPR cooperation and dispute resolution mechanisms. The Commission's proposal is expected to be published in Q2 2023 and is in response to a proposed "one-stop-shop" reform that the European Data Protection Board ("EDPB") sent to the Commission in October 2022. It also follows a call for views which the Commission launched in February 2023 following receipt of the EDPB's proposal.
Privacy Shield 2.0
In the latest twist in the replacement international data transfer framework between the EU and US, the EDPB has raised concerns with the European Commission's draft EU-US Data Privacy Framework (DPF) adequacy decision published in December 2022. The draft DPF is intended to replace the EU – US Privacy Shield, which was invalidated by the Court of Justice of the EU (CJEU) in the so-called "Schrems II" ruling (refer to our blog here). In a non-binding opinion recently issued by the EDPB, it welcomes "substantial improvements" such as requirements around the principles of necessity and proportionality for US intelligence gathering of data and a new redress mechanism for EU data subjects. However, concerns remain and the EDPB requests clarification on several points as well, including certain rights of data subjects, onwards transfers, the scope of exemptions, temporary bulk collection of data and the practical functioning of the redress mechanism.
The EDPB also requests that both the entry into force and adoption of the adequacy decision are conditional on US intelligence agencies adopting updated policies and procedures to implement Executive Order 14086, commitments made by US President Joe Biden last year in part to address concerns raised in the "Schrems II" ruling (refer to our blog here). A committee of member state representatives now needs to give its opinion on the DPF before the Commission can adopt the framework – while the EDPB's opinion is not binding, it is expected to influence this process. The European Parliament LIBE Committee also rejected the adequacy decision in February 2023 on the basis that it fails to create equivalence and urged the Commission to only adopt a decision after meaningful US reforms. Refer to our blog here for further details on the background to the EU – US Data Protection Framework.
China international data transfers
Remaining on the international data transfer theme, the Cyberspace Administration of China has officially released its long-awaited, final version of the Standard Contract for outbound cross-border transfer of personal data. This is one of three permitted mechanisms for transferring personal data outside of China and is expected to be the most frequently used – being the least complicated mechanism with the lowest cost of compliance. The Measures for the Standard Contract for Outbound Cross-border Transfer of Personal Data and the final version of the Standard Contract will come into force on 1 June 2023 and their contents remain largely consistent with the June 2022 consultation drafts but with some important variations. There are also still a number of areas that require clarification. Refer to our blog here for further details of criteria for when the standard contract can be used for international data transfers and areas requiring further clarification.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.