The day’s top stories from around the world
Where the real conversations in privacy happen
Original reporting and feature articles on the latest privacy developments
Alerts and legal analysis of legislative trends
Exploring the technology of privacy
A roundup of the top Canadian privacy news
A roundup of the top European data protection news
A roundup of the top privacy news from the Asia-Pacific region
A roundup of the top privacy news from Latin America
A roundup of US privacy news
The nomination period is now open. Submit your application today. Winners will be celebrated at wide-reaching virtual events hosted by IAPP KnowledgeNet Chapters!
Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.
Advisory Board, KnowledgeNet Chapter Chair and Young Privacy Professional applications are now open. (Leadership positions are for members only. Join today.)
Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.
Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.
Locate and network with fellow privacy professionals using this peer-to-peer directory.
Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.
Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.
Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.
Develop the skills to design, build and operate a comprehensive data protection program.
Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.
Introductory training that builds organizations of professionals with working privacy knowledge.
Learn the legal, operational and compliance requirements of the EU regulation and its global influence.
Meet the stringent requirements to earn this American Bar Association-certified designation.
The global standard for the go-to person for privacy laws, regulations and frameworks
The first and only privacy certification for professionals who manage day-to-day operations
As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.
Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.
The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.
The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for GDPR readiness. Learn more today.
Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.
Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Use the Vendor Demo Center, Privacy Vendor List and Privacy Tech Vendor Report to easily identify privacy products and services to support your work.
On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to international data transfers.
The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
This tracker organizes the privacy-related bills proposed in Congress to keep our members informed of developments within the federal privacy landscape.
Access all reports and surveys published by the IAPP.
Access all white papers published by the IAPP.
IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
The IAPP’s EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you’re meeting your obligations.
This chart maps several comprehensive data protection laws to assist our members in understanding how data protection is being approached around the world.
This interactive tool provides IAPP members access to critical GDPR resources — all in one location.
Join DACH-region data protection professionals for practical discussions of issues and solutions. Presented in German and English.
P.S.R. 2022 is the place for speakers, workshops and networking focused on the intersection of privacy and technology.
Europe’s top experts predict the evolving landscape and give insights into best practices for your privacy programme.
Gain exclusive insights about the ever-changing data privacy landscape in ANZ and beyond.
Explore the full range of U.K. data protection issues, from global policy to daily operational details.
Concentrated learning, sharing, and networking with all sessions delivered in parallel tracks — one in French, the other in English.
The world’s top privacy conference. Whether you work in the public or private sector, anywhere in the world, the Summit is your can’t-miss event.
View our open calls and submission instructions.
Increase visibility for your organization — check out sponsorship opportunities today.
Review upcoming IAPP conferences to see which need to be included in your schedule for the year ahead.
Start taking advantage of the many IAPP member benefits today
See our list of high-profile corporate members—and find out why you should become one, too
Don’t miss out for a minute—continue accessing your benefits
Review current member benefits available to Australia and New Zealand members
In September 2021, the Department for Digital, Culture, Media and Sport consulted on the future of U.K. data protection law. DCMS published its response to this consultation, and a first draft of the new bill is expected imminently.
DCMS recommends several changes to U.K. law. None represents a total overhaul in approach — the U.K. will retain “U.K. General Data Protection Regulation,” its existing Data Protection Act and its existing ePrivacy regulations, along with most of their existing provisions. Some changes are relatively minor tweaks intended to resolve perceived uncertainties. Others are more substantial, especially those to accountability requirements and the U.K. Information Commissioner’s Office powers and priorities.
These proposals can broadly be grouped as changes to:
We have summarized these proposals below; color coding shows the degree of change these represent for an organization’s compliance:
Accountability
DCMS suggests that removing specific accountability requirements will contribute to “£1 billion in costs savings” by reducing the business burden. Despite this lofty prediction, the proposals do not promise a wholesale reduction in administrative burden.
In summary, businesses must still hold inventories (but not quite the same as records of processing activities), must still assess the data protection impact of their activities (but not in the same way as a DPIA), and must appoint a responsible individual (but not quite the same person as a data protection officer).
For businesses with a U.K.-only base, these changes could prove helpful. Much will depend on how the “risk-based approach” translates to legislation and how the ICO chooses to apply it. Those caught by the EU GDPR will likely continue to look to EU requirements to try and meet their U.K. obligations. The government predicts “organisations that are currently compliant with the UK GDPR would not need to significantly change their approach to be compliant with the new requirement.” An area of apparent divergence relates to privacy personnel: The EU GDPR frequently requires a DPO, who must be independent and free from conflicts of interest; by contrast, DCMS will require a “senior responsible individual.” Based on the proposals, it seems unlikely that the same individual could realistically perform both privacy roles for organizations caught by both requirements.
The proposed higher threshold for breach reporting, which would have offered a clearer reduction in burden, is one of the few measures dropped from the original consultation.
DCMS proposes “clarifications” of the existing law: “scientific research” will be defined and provisions dealing with research reorganized to aid understanding. Rules around further use of data will also be clarified — it is not clear what this will involve. More than any other section of the proposals, the devil will be in the details of the drafting.
Where consent was the original legal basis, DCMS proposes that further processing for research should only be permitted in “very limited circumstances.” This may be restrictive for organizations reliant on consent, which cannot be refreshed — for example, where contact details are no longer held or where data is only held in pseudonymous form. This seems more likely to restrict research than offer encouragement.
More helpfully, DCMS proposes to extend the disproportionate effort exemption under Article 14 to data collected directly from data subjects. This will only be available for further processing carried out for research. A number of respondents had flagged concerns here, particularly in the area of longitudinal studies where pseudonymization and the combination of multiple data sets make it nigh impossible to re-contact data subjects.
The government has shied away from more radical proposals on subject access, particularly on imposing either U.K. Freedom of Information Act-style cost ceilings or nominal fees. Instead, DCMS will introduce a replacement threshold for rejecting or charging for a data subject access request, which will block “vexatious or excessive requests.” In the leading case of Information Commissioner v. Devon County Council & Dransfield in the Upper Tribunal, the judge emphasized the term “vexatious” needed to be interpreted “in the particular statutory context of FOIA, rather than in legislation generally.” Given the apparent importance of a statute’s specific context, it is not clear how importing the lengthy jurisprudence on vexatious requests for public access to public data will prove useful to controllers handling complex and expensive DSARs often brought by disgruntled employees. A lot will rest on ICO guidance and application — much like it does today.
Proposals to widen existing exemptions under Article 49 to repetitive transfers and allow organizations to identify their transfer mechanisms outside of Article 46 have been dropped.
DCMS still proposes to amend requirements on assessment of other countries’ laws and safeguards under Article 46, to ensure these can be done more “pragmatically and proportionately” and to change the process for the U.K.’s adequacy assessment of third countries. There will be a continued insistence on high standards, but when met, the value in facilitating transfers with a particular country could be considered under DCMS’s proposals.
Almost all of the changes proposed to the U.K.’s ePrivacy regime have survived consultation. These are mostly self-explanatory. A number of ministers and backbenchers longing for an imminent end to cookie banners, however, will need to wait and choose their websites carefully for this to become a practical reality.
A move to an “opt-out” model for cookies — trumpeted in DCMS’s press release — will only happen “when government assesses that (browser based and similar) solutions are widely available for use.” This may take longer than the expected lifespan of third-party cookies as behavioral advertising tools. In any event, this model will not be available for sites caught by the Age Appropriate Design Code. In the short term, consent will not be needed for certain “non-intrusive” purposes, such as analytics.
The government narrowed its proposal to create a list of legitimate interests for which no legitimate interest assessment would be needed. This offers the possibility to reduce the documentation burden of important processing, such as safeguarding children or preventing and detecting crime.
The government is also considering further proposals to extend or adapt existing grounds in Schedule 1; i.e., allow more processing of special category data where this is in the substantial public interest.
The government’s consultation proposed reducing the burden of compliance on artificial intelligence innovation and ensuring fairness in machine learning. Many of these proposals have been dropped or moved to a proposed white paper on AI governance.
DCMS will still introduce a condition to explicitly permit the use of special category data for bias detection and correction. Article 22 will also be reframed to offer safeguards rather than its current prohibition of certain automated decisions. It is unclear from the proposal whether this amendment will be made now or wait for the envisioned white paper.
Some of the most substantial proposed changes are to the structure and priorities of the ICO. These will not necessarily lead to a big impact on the internal compliance obligations for businesses processing personal data — and so aren’t listed in our table above — but would impact the guidance and strategic focus of the ICO. In particular, the government proposes to:
A majority of the consultation’s respondents raised concerns with these proposals, particularly concerning the impact they might have on the ICO’s perceived independence from the government. These proposals may well be the main focus of EU adequacy concerns.
The government is expected to move promptly to issue draft legislation in July. Once published, the passage of legislation through the Houses of Parliament leaves an opportunity for organizations to lobby for changes to the proposals and seek additional clarification and guidance on their impact.
Photo by James Giddins on Unsplash
Submit for CPEs
If you want to comment on this post, you need to login.
The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, promote and improve the privacy profession globally.
The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.
© 2022 International Association of Privacy Professionals.
All rights reserved.
Pease International Tradeport, 75 Rochester Ave.
Portsmouth, NH 03801 USA • +1 603.427.9200