UK take 2; EU set out to fix GDPR
The DPOInsider covers the latest news and developments in data compliance and privacy. The DPO's favourite weekly read ☕️
UK post Brexit reform - take 2
There’s a lot of concern about the UK government's revised "Data Protection and Digital Information (No. 2) Bill." While the bill retains the spirit of GDPR's purpose limitation principle, it also introduces worrying elements that could negatively impact data privacy.
In a regressive move, the bill reduces businesses' requirements to maintain records and conduct proactive oversight of their data processing activities. This could hinder their ability to respond to user requests related to data or provide comprehensive accounts of exposed information in case of security breaches. Furthermore, the bill's expansion of the definition of scientific research could make it easier for businesses to justify processing personal data for commercial use, potentially compromising privacy.
Another point of concern is the potential interference with the independence of the Information Commissioner's Office (ICO), as the bill allows for the appointment of a new board whose members may be influenced by the Secretary of State. This could jeopardize the ICO's autonomy and, consequently, the UK's "essential equivalence" with the EU's data protection rules.
While further amendments to the bill are still possible, it's important for data privacy professionals to stay informed about these developments and voice our concerns. Let's work together to ensure that the UK maintains a high standard of data protection, putting people at the center of any legislative changes.
Brussels sets out to fix the GDPR
I can't help but feel a mix of hope and apprehension as the European Union finally addresses the challenges within the General Data Protection Regulation (GDPR). With a new law proposal expected before summer, the focus is on improving how EU countries' privacy regulators enforce the GDPR. This is certainly a step in the right direction, as the GDPR has been widely regarded as a game-changer in global tech regulation since its adoption in 2016.
However, the last five years have also exposed some inefficiencies in the system, especially when it comes to tackling major cases involving Big Tech companies. A key issue is the powerful role that the Irish Data Protection Commission holds under the one-stop-shop rule, directing most major investigations through the Irish system. Critics argue that this has led to lax enforcement in some cases, although recent multimillion-euro fines have been imposed on companies like Meta.
The upcoming EU regulation, expected in the second quarter of 2023, seeks to establish clear procedural rules for national data protection authorities in cross-border investigations and infringements. It aims to harmonize aspects of administrative procedures and support the smooth functioning of GDPR cooperation and dispute resolution mechanisms.
However, the Commission's new privacy law proposal will undoubtedly face challenges from lobby groups, regulators, and Big Tech companies alike. The road to a more efficient GDPR enforcement system will not be without hurdles, but as privacy professionals, we must remain optimistic and work towards a future where data protection is effectively safeguarded. Time is of the essence, as the European elections in spring 2024 will limit the window for pushing this.
Other data privacy news
US Turns Up Heat on TikTok Over Data Security With Threat of a Ban
Last week FBI Director Christopher Wray told a U.S. Senate hearing that TikTok “screams” of security concerns.
UK ICO Issues Updated Guidance on AI and Data Protection
On March 15, 2023, the UK Information Commissioner’s Office (“ICO”) published an updated version of its guidance on AI and data protection (the “updated guidance”), following requests from UK industry to clarify requirements for fairness in AI.
The Hidden Data Security and Compliance Risks of Organizational Silos
Are organizational silos opening up hidden risks for compliance and data security?