Data Protection Bulletin - March 30 2023
Welcome to the latest edition of our bi-weekly Data Protection Bulletin, where we keep you informed on the latest key insights, government regulatory activity, and enforcement actions in the world of data protection.
In this issue,, we will be diving into the latest developments and trends in data privacy, discussing how businesses and organisations can stay compliant with data protection laws, and exploring the consequences of non-compliance. Whether you’re a data privacy professional or simply interested in staying informed, this bulletin is your go-to source for all things data protection.
- Key Insights
- Government Regulatory Activity
- Enforcement Actions
Missed our last update? Check it out here.
DPAS Tips on Managing a High Influx of Data Subject Access Requests
In the course of our work supporting organisations, we have seen that many have experienced an increase in Data Subject Access Requests (DSARs) recently, with many councils noting a surge in care leavers requesting their case files from their time in the social care system. In addition, HR-related DSARs have become more frequent, particularly in situations involving redundancies, grievances, and performance management issues. In our latest blog, we suggest actionable strategies to help organisations manage DSARs more effectively.
GOVERNMENT AND REGULATORY ACTIVITY
UK Department for Science, Innovation and Technology Unveils New AI Growth Plan
The UK government has published a White Paper on AI regulation, outlining a pro-innovation approach to AI with a focus on avoiding unnecessary burdens for businesses. While no new legal requirements are being introduced, the paper recognises the risks posed by AI to human rights, safety, fairness, privacy, societal well-being, and security. To mitigate these risks and maintain public trust, the UK is proposing a unique regulatory framework based on five principles: safety, transparency, fairness, accountability, and contestability.
Regulators will have the flexibility to develop and enforce AI rules based on these principles, and there will be a statutory duty to consider them. The UK’sUK’s approach differs from the EU AI Act, which imposes mandatory requirements on the developers and deployers of AI systems across all sectors. The government will provide support to regulators, such as monitoring, assessment, and feedback, innovation support, and education and awareness. While the proposed regulatory framework provides a balanced approach to regulating AI, further work will be done on regulating foundation models such as ChatGPT to explore risks and regulatory needs in this area. You can read the plan HERE.
Major AI Players Sign Open Letter for Six-Month Break on Powerful AI System Research
Over 1,000 AI experts, researchers, and supporters have signed an open letter calling for an immediate six-month pause on the development of powerful artificial intelligence systems, including those more advanced than GPT-4. The letter emphasises the need to better understand, predict, and control these technologies, arguing that powerful AI systems should only be developed once their positive effects are ensured and risks are manageable. Signatories of the letter include major figures in the AI field, engineers from Amazon, DeepMind, Google, Meta, and Microsoft, as well as prominent academics.
The letter, coordinated by the Future of Life Institute, suggests that if researchers do not voluntarily pause their work on powerful AI models, governments should step in. It clarifies that this does not mean a pause on AI development in general, but rather a step back from the race toward larger, unpredictable models with emergent capabilities. The call for strict regulation contrasts with the UK government’sgovernment’s AI regulation white paper, which focuses on coordinating existing regulators and offers five principles for AI considerations. You can read the full letter HERE.
High Court Rules Immigration Exemption to Data Protection Act Unlawful, Again
The High Court has ruled that the UK government’sgovernment’s immigration exemption to the Data Protection Act 2018 remains incompatible with the UK General Data Protection Regulation (GDPR). The immigration exemption allows the Home Office and privately contracted companies to deny individuals’ requests to access their personal data if it might “”prejudice the maintenance of effective immigration control.”” This exemption can also prevent migrants from objecting to their data being used for automated decision-making or being deleted.
Previously challenged in 2018 and ruled unlawful in May 2021, the government was given until January 2022 to introduce legislative amendments to make the exemption compatible with GDPR requirements. However, the Open Rights Group and the3million, who brought the judicial review claims, argued that the changes were inadequate, and the High Court has now agreed, stating that the exemption still does not comply with mandatory requirements of Article 23(2). You can find the full text of the judgement HERE.
ICO Introduces New Prioritisation Framework for Public Interest FOIA Complaints
The Information Commissioner’sCommissioner’s Office (ICO) has unveiled a new prioritisation framework for handling complaints under the Freedom of Information Act (FOIA), focusing on cases with significant public interest. The ICO has streamlined its processes to better manage the volume and complexity of FOI complaints and target public authorities that systematically fail to meet transparency obligations. The new criteria aim to provide clear guidance on significant public interest, such as issues involving large amounts of public money or information impacting vulnerable groups.
The ICO plans to allocate priority cases within four weeks and fast-track 15-20% of its caseload, aiming to close 90% of all cases within six months. This prioritisation is part of the ICO’sICO’s recent improvements in regulating the FOI Act, which includes reducing its caseload of live complaints by nearly two-thirds and delivering over 2,500 decision notices in the past year. The ICO is also taking more proactive action against public authorities that systematically fail to comply with the law. You can read the full statement HERE.
Finnish SA Fines Controller €440,000 for Inaccurate Payment Default Entries
The Finnish Data Protection Authority (SA) investigated a consumer credit information services company’scompany’s (Suomen Asiakastieto Oy) processing of payment default information based on final decisions in 2021. It found that the controller should not have stored information from decisions issued in civil cases as payment default entries. The SA ordered the controller to rectify its registration practices and erase all inaccurate payment default entries. However, in January 2023, the controller admitted to interpreting the SA’sSA’s order incorrectly and had only erased all payment default entries based on final decisions.
As a result, the Finnish SA imposed a €440,000 administrative fine on the controller for failing to erase inaccurate payment default entries saved in the credit information register due to inadequate practices. The SA emphasised the significant impact of payment default entries on individuals’ rights and freedoms. You can read the full case report by the European Data Protection Board HERE.
ICO Issues Practice Recommendation to the Department of Works and pensions for FOI Failures
The Information Commissioner has expressed concerns over the Department for Work and Pensions’Pensions’ (DWP) handling of Freedom of Information Act (FOIA) requests. According to the ICO, ”The DWP has shown a consistently poor performance in processing requests”, prompting the Commissioner to intervene to ensure compliance.
As a result, the Commissioner has found that the DWP’sDWP’s request handling practices do not conform to certain parts of the Freedom of Information Code of Practice. To address these issues, the Commissioner has made recommendations to support and enhance the DWP’sDWP’s information rights practices, including having the Central FOI Team review all responses and internal reviews for compliance. You can read the full practice recommendation HERE.