Other Author Kahroba Kojouri, Trainee Solicitor
- The adoption of the UK Online Safety Bill by the UK. The UK Online Safety Bill was proposed by the UK government to establish a new regulatory framework to tackle harmful content online and usher in a new age of accountability for tech companies. The bill will impose a duty of care on companies that offer user-generated content, in addition to search engines, to protect users from abuse, fraud and violence.
- The adoption of the Digital Markets Act and the Digital Services Act by the EU, aimed at encouraging competition and innovation between digital platforms and creating a safer digital space where the fundamental rights of users are protected.
- The arrival of new instruments that will replace the Standard Contractual Clauses (SCCs) for restricted transfers made from the UK. In August 2021, the ICO launched a public consultation proposing the adoption of the International Data Transfer Agreement (IDTA), and a new UK transfer risk assessment (TRA) for such transfers. We expect the IDTA and its associated documents to be finalised in the first half of 2022.
- The adoption of new adequacy decisions by the UK and the EU. In the UK Government’s Consultation for data protection reforms, the UK Government indicated its intention to progress an ambitious programme of adequacy assessments. The list of top priority countries and otherwise for adequacy for the UK include the following: Australia, Brazil, Colombia, The Dubai International Financial Centre, India, Indonesia, Kenya, The Republic of Korea, Singapore and The United States of America. The EU Commission is also actively exploring adequacy with respect to other states, in particular, countries in Asia and Latin America.
- Whilst the EU-US Privacy Shield was struck down by the Court of Justice of the European Union in the “Schrems II” decision in July 2020, negotiations between EU and US officials have been ongoing to secure a new arrangement for safe transatlantic data flows. Reports indicate that negotiations have progressed quickly and significant progress has been made towards reaching an agreement.
- Following its departure from the EU, the UK Government is intent on reforming the UK’s data protection and privacy regime to deviate from the more stringent requirements of the GDPR to drive growth and innovation in the UK. The UK Government is now analysing the feedback it received from its consultation which outlined its proposals for such reforms. We expect that the Government will release the outcome of the public feedback it received in 2022 and its plans for the UK’s new data protection and privacy regime.
- The ICO has been publishing draft chapters on its guidance on anonymisation, pseudonymisation and privacy enhancing technologies and seeking feedback from the public on the chapters. The ICO is expected to publish their finalised guidance on anonymisation and pseudonymisation in 2022 to enable businesses to share personal data in a lawful and safe manner by using anonymization and pseudonymisation techniques, along with other privacy enhancing technologies and technological solutions.
- The Medicines and Healthcare products Regulatory Agency (MHRA) plans to adopt a work programme which will provide a regulatory framework to govern software and AI as a medical device. The aim of this programme is to provide clear guidance and standards to ensure that these devices are safe for use by the public.
- The UK Government will seek to implement its newly published National Cyber Strategy over the next ten years, which outlines its commitment to spend £22 billion on research and development to strengthen the UK’s cyber capabilities as a way to protect and promote the UK’s interests in a fast-moving digital world. These plans involve establishing technology at the core of the UK Government’s plans for national security, adopting an offensive cyber strategy against cyberattacks and ensuring cyberspace is a reliable and resilient place for businesses to flourish.
- On 21 April 2021, the European Commission released its draft of the Artificial Intelligence (AI) Act, which is an attempt to regulate AI technologies across the European Union (EU) in a consistent manner. It is modelled on a four-tiered risk framework which sets out the requirements and obligations that are imposed on providers and users of AI systems which are proportional to the potential risks to the health, safety and fundamental rights of individuals that the AI system poses. We expect to see lengthy deliberations on the proposed act in the European Parliament and Council in 2022, which may continue into 2023, or may conclude towards the end of 2022. The UK will also be seeking to progress its National AI Strategy; however, by contrast, the UK Government’s objective is to create a progressive and pro-innovation regulatory environment that will enable businesses to adopt AI and compete internationally.
- A decision of the Court of Justice of the European Union is expected in 2022, which will provide clarification on the entitlement of damages under Art. 82 GDPR and, in particular, whether a mere violation of the GDPR is sufficient for damages to be awarded. Procedural, material and case law developments in various EU Member States and the UK are likely to also have an impact on claims brought for breaches of the GDPR.
- The adoption of the NIS2 Directive by the European Union. On 16 December 2020, the EU Commission published its proposal for a revised Directive on Security of Network and Information Systems, known as the NIS2 Directive. This directive was proposed by the EU Commission in response to the growing threat posed by the surge in cyber-attacks and cyber-crime, which are growing in scale, cost and sophistication. The NIS2 Directive is intended to further improve cooperation among member states in the area of cybersecurity, expand the scope of application to new sectors and implement a stricter supervision and enforcement regime. Whilst the NIS2 Directive is still under negotiation, the Council of the European Union confirmed on 3 December 2021 that it had agreed its position on the matter and that it was hopeful the text could be agreed during the course of 2022.
- Enforcement of the UK Children’s Code, which provides a set of standards that online services, including apps, games, social media platforms, connected toys and devices, must comply with if they are likely to be accessed by children under the age of 18. The Code was passed to safeguard the personal data of children. Similarly, the European Data Protection Board is also expected to issue new guidance on the processing of personal data of children and other vulnerable individuals in the European Union.
- The possible adoption of the EU ePrivacy Regulation. The ePrivacy Regulation will replace the ePrivacy Directive of 2002 and will provide specific rules governing electronic communications to protect the privacy of users. The regulations will not only protect the personal information of users, but also the metadata relating to their communications. Whilst the Council of the European Union has adopted its compromised position on the new ePrivacy Regulation, the Council of the European Union and the European Parliament have yet to agree on a number of significant issues, so it remains to be seen if the text can be agreed in 2022.
Stay up-to-date on our perspectivesSubscribe to Email