Upcoming changes to online services & data protection laws in 2023

International data transfers

The Information Commissioner’s Office (ICO) is expected to release clause-by-clause guidance on International Data Transfer Agreement (IDTA) and the Addendum to the EU GDPR Standard Contractual Clauses (EU SCCs) which will assist in guiding organisations transferring data to ‘third countries’. For more information see here: What you need to know about the new international data transfer laws.

The UK and US are likely to make further significant strides towards concluding a data adequacy decision in 2023, which will boost UK trade by allowing personal data to be transferred securely and more freely from the UK to the US. More information on the UK-US adequacy decision can be found here: The United Kingdom and the United States make progress towards data adequacy.

The EU is also expected to implement a data privacy framework to foster the transfer of data between the EU and the US. However, Max Schrems, an Austrian activist, and the activist group NYOB, have indicated their intention to challenge the framework as they believe that it does not meet the requirements of EU law.

Data security

We can expect to see changes to data security requirements for certain sectors, in particular:

• The Government has called for views and information on measures to enhance the security of online accounts, including those which process personal data, as well as proposing an additional ‘duty to protect’ such accounts.
• The Government has recently published an app code that sets minimum security and privacy requirements for app store operators and app developers to implement.

Rights of data subjects

The ICO plans to launch a subject access request tool to help people make requests and understand their rights. The ICO may also continue to investigate and reprimand organisations that fail to comply with data access obligations and explore ways of working with other services to reduce the number of organisations that a complainant needs to deal with.

Age-appropriate design code

The ICO will release the results of its consultation on the age-appropriate design code of practice (Children’s Code) in early 2023. This code is intended to make the internet a safe space for children by ensuring that children’s personal data is processed fairly and in compliance with data protection laws.

For more information on the age-appropriate design code, see our article published here: Children’s Code: firms must be compliant from 02 September 2021.

Cookies & direct marketing

The ICO’s work on its draft statutory direct marketing code of practice has been paused pending developments in relation to the Data Protection and Digital Information (DPDI) Bill. However, the ICO has published updated guidance on direct marketing which will form the basis for the code once changes to the law are in place.

The ICO’s annual action plan for 2022-23 includes a focus on enforcing compliance with the Privacy and Electronic Communications Regulations 2003 (PECR) and looking at the impact of predatory marketing calls and data-enabled scams, and fraud targeting vulnerable people.

The advertising industry and its regulators, including the ICO and the Competition and Markets Authority (CMA), will continue to examine online behavioural advertising (OBA) and how it can comply with both data protection and competition laws. The Government’s online advertising programme consultation is also awaited in this regard.

In early 2023, the CMA plans to publish its third update report on Google’s implementation of the binding commitments it has accepted to address competition concerns related to Google’s removal of third-party cookies on Chrome and their replacement with alternative ‘Privacy Sandbox’ technologies.

Employee personal data

The ICO will continue to release guidance on employment practices, including monitoring at work and information about workers’ health. In addition, it may also release further guidance on recruitment and selection, employment records, and checklists/tools.

The Court of Justice of the European Union (CJEU) will consider the interpretation of Article 88 of the EU GDPR on the processing of employee personal data in the context of employment, and in particular, whether a bank’s employee (who was also a customer) has the right to know, from among the information available to the bank, the identity of the employee(s) who, under the authority and on the instructions of the bank, have consulted that employee’s personal data.

Sanctions & remedies

Overall, the ICO’s data security incident trends show a decrease in reported occurrences, with the majority being non-cyber, and wrongly sent emails being the most common type of breach.

2022 saw a rise in group action claims and privacy activism, which has been a productive way of claiming compensation or enforcing legislation. For example, a group action was brought against Ticketmaster from over 1,000 cases for a data breach in 2018 which saw it withdraw its appeal against a £1.25m penalty.

There are a number of cases likely to conclude in 2023, including:

• The Gormen -v- Meta Platforms case relating to competition law breaches and misuse of personal data, under which a decision could be made around proceeding on a collective action for £2.3b; and
• Tanya O’Carroll’s case against Facebook concerning the right to object under the UK GDPR and whether this prevents Facebook from using her data for advertising and marketing purposes. If this case is successful, it could set a significant precedent for all Facebook users to enforce their rights to object to Facebook using their data.

In the wake of the £4.4m penalty to Interserve (more information can be found here: £4.4 million fine issued to firm for breach of its own staff’s data), the ICO has warned organisations not to be complacent around cyber security measures, stating that organisations that do not invest in cybersecurity measures to protect personal data can expect significant fines.

Large fines under the EU GDPR are expected to be seen in EU countries, such as the Irish DPC fining Meta €405m and €265m for data protection infringements by Instagram and Facebook, respectively.

Please note that this information is for general guidance only and should not substitute professional legal advice. If you have specific concerns, we recommend consulting one of our legal experts.