norm. data protection bulletin: 03rd April 2023

Privacy and Consumer Trust

The International Association of Privacy Professionals (IAPP), of which I am a member, has published a report ‘Privacy and Consumer Trust’ which I would like to bring to your attention. The report shines a light on what consumers around the globe think about privacy and the organisations that collect, hold and use their data. The key takeaways of the report are:

1. Consumers care about their privacy

Nearly 68% of consumers throughout the world said they are either somewhat or very concerned about their online privacy. This concern affects how much they trust companies, organizations and governments to collect, hold and use their personal data. Consumers make choices based on their perceptions of privacy, adjusting their compasses in a world awash in data by deleting apps, withholding information and avoiding purchases when they feel their privacy is at risk.

2. Consumers believe legal compliance drives privacy efforts

More than 35% of consumers ranked compliance with legal obligations as the biggest factor motivating companies to protect their privacy. While other forces — from corporate values to competition in today’s marketplace — are thought to play a role, most consumers see privacy laws and regulations, such as the GDPR, as having a large or moderate effect on the privacy practices of companies.

3. Consumers struggle to comprehend what data is collected and how it is used

Consumers’ ability to understand what organisations do with their personal information has long been hindered by hard-to-read privacy notices. Few consumers said it is easy for them to understand whether a company follows good privacy practices. The majority of consumers had limited understanding of the types of personal data collected about them. Globally, only 29% of consumers said it is easy for them to understand how well an organisation protects their personal data.

4. Consumers are clear on what enhances and what reduces their trust in an organisation

There are several actions consumers want organisations to take/not take, to gain their trust. According to 64% of consumers, organisations that provide clear information about their privacy policies enhance their trust. Meanwhile, 33% of consumers would lose trust in an organisation that uses their data to offer them products or services from another organization.

5. Cybersecurity affects consumers’ brand loyalty

Data breaches are becoming common experiences for consumers globally. A majority of global consumers report being impacted by a data breach that targeted an organisation from which they purchase goods or services. More than 80% of impacted consumers said they are likely to stop doing business with an organisation after it is the victim of a cyberattack.

6. Computer automation with no human oversight is perceived by most consumers as a privacy risk

Peering out over the frontier, artificial intelligence and other emerging technologies raise privacy concerns for consumers. Indeed, 57% of global consumers view the use of AI in collecting and processing personal data as a significant threat to privacy. Trust in companies also varies based on whether they use humans or computers to analyse collected data. Interestingly, a majority of consumers preferred their data being processed by a combination of human and computers.

As this report makes clear, a significant portion of consumers around the world feel their privacy is valuable and are increasingly willing to forgo benefits, change their consumption habits and take other steps to ensure their privacy is protected.

Data Protection ‘reform’ Bill revived

On 8 March 2023, the Government introduced the Data Protection and Digital Information (No. 2) Bill. The first version of this bill was originally proposed by the Government in July 2022, but was put on pause during September 2022. According to the Government, this proposed new law will “cut down pointless paperwork for businesses and reduce annoying cookie pops-ups” and “provide organisations with greater confidence about when they can process personal data without consent”.

Key Proposals (Our preliminary understanding of this Bill)

Records of Processing Activities (ROPAs): The Bill introduces an obligation to maintain a ROPA only where the processing being carried out is likely to result in a “high risk” to individuals. What ’high risk’ means has not been set out, but there’s a requirement for the ICO to publish a document containing examples of types of processing which it considers are likely to result in a high risk to individuals for these purposes.

Insight: This means that no organisation, regardless of the numbers of its employees, will need to maintain a ROPA, unless it’s processing is ‘high risk’.

Data Protection Impact Assessments (DPIAs): Organisations will no longer need to conduct data protection impact assessments (DPIAs). Instead, they will need to implement an “assessment of high-risk processing”. The bill removes the list of activities deemed to be high risk which was in the UK GDPR and emphasises there should be a focus, when assessing risk, on how the organisation operates and the type of data it processes.

Insight: Should make assessing risk easier and quicker.

Subject Access Requests (SARs): The Bill allows you to refuse to respond to a SAR or charge a fee if the SAR is ‘vexatious or excessive’. (A request may be vexatious if it is not made in good faith or is an abuse of process).

Insight: This could mean that, where a SAR is (as is often the case in HR related claims) motivated not by privacy concerns, but as a pre-litigation disclosure exercise, or has a “mixed motive”, it may be more open to challenge and refusal than at present.

Cookies: The categories of cookies that do not need consent will be increased. The new exceptions to the prior cookie consent requirement include:

• the business is only using the cookies to collect information for statistical purposes about how the service is used (i.e., analytics) and the information is not shared with other parties except for the specific analytical purposes; and
• the user is provided with clear and comprehensive information about the purposes of the cookies.

Insight: Organisations will more easily be able to collect analytical data about their websites and products without needing to obtain prior consent. However, there will still be a requirement to provide the user with a simple means of objecting to the cookies.

Legitimate Interest:

Organisations will no longer have to balance their legitimate interests with data subject’s rights and interests where necessary for one or more of the following “recognised legitimate interests”

• processing necessary for the purposes of direct marketing (but this does not mean that consent will not be needed where this is required by the Privacy and Electronic Communications Regulations (PECR)); and
• intra group transmission of personal data (whether personal data of clients, employees or other individuals) necessary for internal administrative purposes; and
• processing necessary for the purposes of ensuring the security of network and information systems.
• preventing crime
• civil emergencies, and
• safeguarding vulnerable individuals.

Insight: In these limited circumstances, this will make relying on legitimate interests as a lawful ground for processing easier.

Data Protection Officers:

Where the organisation is a public body the requirement to appoint a DPO has been replaced with an obligation to appoint a senior responsible individual (SRI). This change really only affects those organisations.

In general terms, the role of SRI will be very similar to that of a DPO – they must oversee data protection compliance, advise on data protection issues, and act as contact point with the ICO. Crucially, SRIs will also be responsible for “dealing with personal data breaches”, and interestingly the SRI will have the ability to delegate this responsibility – which reflects the reality that many businesses already outsource this function, as it can be difficult to find the depth of expertise in-house.

In any event, John Edwards, the Information Commissioner, has stated the ICO will still take account of whether organisations have appointed a DPO when conducting investigations, and that he expects those whose activities involve a lot of data processing to continue to appoint a DPO.

Insight: Same difference?

ICO: The office of the ‘Information Commissioner’ will be replaced, the ‘Information Commission’, which will consist of members appointed by the Secretary of State.

Insight: This will give the government greater oversight over the ICO.

Definition of personal data: The definition will be narrowed, broadly by limiting this to persons identifiable by the organisation which has the data and others likely to receive the information.

Insight: This seems to mean that data which is personal data in the control of one organisation will not automatically be personal data after it is shared with another organisation.

Data transfers: The new draft Bill confirms that transfer mechanisms lawfully entered into before the Bill takes effect will continue to be valid under the new regime.

Insight: This seems to mean that there will no longer be a need to make changes to contractual arrangements made some time ago using the ‘old EU SCCs’ (which otherwise were due to become invalid on 24 March 2024).

Scientific research: The definition of scientific research is amended so that it now includes research for the purposes of commercial activity.

Insight: This will give commercial organisations greater scope to use existing data for product development. It could be very helpful to life sciences organisations.

Data security: The Bill modifies the terminology in the GDPR by replacing the requirement to implement “appropriate technical and organisational measures” (‘TOMs’) with “appropriate measures, including technical and organisational measures”.

Insight: Same difference?

UK Representatives: Organisations that are not established in the UK will no longer need to appoint a Data Protection Representative within the UK.

Insight: Did anyone actually appoint a Representative in the UK?

Each of these will be considered in more detail in due course.

What next?

The Bill needs to go through the usual Parliamentary procedures (presenting it as a new Bill means it has to go back to the starting line). Because the Parliamentary session will now run until Autumn and given that there has been little suggestion of any objection from the Opposition, there should be ample time for it be passed.

Conclusion

The key takeaway from this is that the Government has said that compliance with the current UK regime will be compliance with the new one. In other words, organisations that are already compliant with the UK GDPR will not be required to make any changes as a result of the Bill. The question for organisations to consider is therefore if they want, and are able, to change any of their internal processes and governance to reflect any of these changes.