FUTURE PRIVACY COMPLIANCE SERVICES FOR UPCOMING DATA LEGISLATION
UNITED KINGDOM
​
The UK government has announced it plans to replace the UK GDPR (General Data Protection Regulation) with a new British data protection system. Here is some propose / emerging UK legislation that may affect organisations who collect UK data.
ONLINE SAFETY BILL – 2023
This Online Safety Bill is aimed at certain internet services; for and in connection with communications offences; and for connected purposes. The Bill once finalised (3rd reading stage) will implement new rules for firms which host user-generated content, i.e. those which allow users to post their own content online or interact with each other, and for search engines, which will have tailored duties focused on minimising the presentation of harmful search results to users.
​
Platforms that fail to protect people will need to answer to the regulator and could face fines of up to 10% of their revenues or, in the most serious cases, being blocked. All platforms in scope will need to tackle and remove illegal material online.
The bill will have provisions for OFCOM to regulate certain internet services an communication offences.
THE DATA REFORM BILL
​
The Data Reform Bill will amend or replace the UK GDPR and Data Protection Act 2018. The draft Bill has not yet been published and is currently on hold while the Government evaluate how to replace and move away from the UK GDPR without putting the UK’s ‘adequacy’ status at risk.
DATA PROTECTION AND DIGITAL INFORMATION BILL
​
The Data Protection and Digital Information Bill proposes to update and simplify the UK’s data protection framework and includes measures relating to areas such as digital identity and ‘smart data’ this will "transform the UK's independent data laws."
The government state this is a “Bill to make provision for the regulation of the processing of information relating to identified or identifiable living individuals; to make provision about services consisting of the use of information to ascertain and verify facts about individuals; to make provision about access to customer data and business data; to make provision about privacy and electronic communications; to make provision about services for the provision of electronic signatures, electronic seals and other trust services; to make provision about the disclosure of information to improve public service delivery; to make provision for the implementation of agreements on sharing information for law enforcement purposes; to make provision about the keeping and maintenance of registers of births and deaths; to make provision about information standards for health and social care; to establish the Information Commission; to make provision about oversight of biometric data; and for connected purposes.”
Once implemented additional requests such as:
​
> Organisations needing to respond to assessment notices and interview notices.
> Ensuring that data protection accountability documentation is in place and maintained;
​
> Conducting regular data protection training for all staff members who have data protection responsibilities and keep records.
> AI - the U.K. government is proposing a second set of rules and regulations for AI and machine learning. Part of its national strategy on AI, the new AI proposals are meant to live alongside the data protection bill and involve regulators like Ofcom and the Competition and Markets Authority.
THE DIGITAL MARKETS, COMPETITION AND CONSUMER BILL
​
The government will bring in new legislation to protect consumers from fake reviews and subscription protection and give the Competition and Markets Authority (CMA) new powers to deal with anti-competitive practices in digital markets. The government will introduce the bill in this parliamentary session, which will end in May 2023.
​
Once implemented may lead to:
​
Firms designated as gatekeepers (under the EU regime), and with strategic market status (under the UK regime), will be required to undertake significant work to ensure compliance with the new rules. It will also be necessary for those firms that interact with powerful digital firms to understand the rules and what changes are coming.
The government also plans to update consumer protection law to tackle "subscription traps" and fake online reviews. This will mean that businesses will be obliged to give consumers additional information before signing up to a subscription and make it easier for consumers to opt out of subscriptions; that is, the UK will have "cancellation buttons" legislation in much the same way as has been seen in France and Germany. There is also likely to be a new blacklisted offence related to fake reviews and one specifically targeting platforms, which will need to undertake "reasonable and proportionate" checks on reviews to avoid the offence.
ICO - AGE APPROPRIATE DESIGN: A CODE OF PRACTICE FOR ONLINE SERVICES
​
The ICO website state The Children’s Code (or the Age-appropriate design code) contains 15 standards that online services need to follow. This ensures they are complying with their obligations under data protection law to protect children’s data online.
​
Online services covered by the code are wide ranging and include:
> Apps;
> Games;
> Connected toys and devices; and
> News services.
​
If children are likely to access your service, even if they are not your target audience or user, then you need to consider the Children’s code.
Who does the code apply to?
​
The code applies to “information society services likely to be accessed by children”. The definition of an ISS is “any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services.” What this means in practice is that most for-profit online services are ISS, and therefore covered by the code. This includes:
​
Online services covered by the code are wide ranging and include:
> Apps;
> Programs;
> Search engines;
> Social media platforms;
> Online messaging or internet based voice telephony services;
> Online marketplaces;
> Content streaming services (eg video, music or gaming services);
> Online games;
> News or educational websites; and
> Any websites offering other goods or services to users over the internet.
> Electronic services for controlling connected toys and other connected devices are also ISS.
If your online service is likely to be accessed by children under the age of 18, even if it’s not aimed at them, then you are probably covered by the code. This means you may need to make some changes to how you design your service and how you process personal data to ensure you comply with the code.
Does the code only apply to UK-based Organisations?
​
No
The code applies to UK-based organisations and non-UK organisations who process the personal data of UK children.
​
What do I have to do to conform with the code?
Things you may need to think about, or implement are:
​
> Mapping what personal data you collect from UK children.
> Checking the age of the people who visit your website, download your app or play your game.
> Switching off geolocation services that track where in the world your visitors are.
> Not using nudge techniques to encourage children to provide more personal data.
> Providing a high level of “privacy by default.”