DP News – Week 47. Developments in the UK privacy law.

The work on the proposed UK’s Data Protection and Digital Information (DPDI) Bill was put on hold since the UK government’s recess earlier this year, and then the bill was removed from the House of Commons’ second reading calendar.

However, during the recent IAPP Data Protection Congress in Brussels, there have been clear signs that the work on the bill will be resumed. Owen Rowland, the UK Department for Digital, Culture, Media and Sport Deputy Director for Domestic Data Protection Policy, confirmed during the congress that new consultations on the bill will start shortly. While one should not expect full-scale public consultations to be arranged, several groups of actors (businesses, consumer groups, privacy practitioners) will be approached during the consultation process. The details of the consultation process are expected to become known in the weeks to come.

Interestingly, two weeks ago Politico published an article about serious criticism voiced by some members of the European Parliament in respect of the planned data protection reform in the UK. Some privacy practitioners opined that this may potentially threaten the EU-UK adequacy decision, depending on how far the reform will go.

Moving to the other news coming from the UK, on 17 November, ICO published an update to the guidance on international data transfers. This includes a new section on transfer risk assessments (TRAs) and also a TRA tool.

As ICO explains in the blogpost, the “TRA guidance clarifies an alternative approach to the one put forward by the European Data Protection Board. Our aim is to find an alternative, achievable approach delivering the right protection for the people the data is about, whilst ensuring that the assessment is reasonable and proportionate. To do this, we created a six question TRA tool with guidance and tables to help people work through it. It gives an initial risk level for categories of data, and we have moved the focus to whether the transfer significantly increases the risk of either a privacy or other human rights breach. We believe this captures the key risk to the people the data is about, and is also achievable”.

As for the future plans in this regard, ICO clarifies that it is “working on guidance showing you how to use the IDTA [International Data Transfer Agreement] and the Addendum to the SCCs (including clause by clause guidance)”. ICO is also “considering extending the TRA guidance to include worked examples to show how the TRA tool can work in practice”.