This week in data/cyber/tech: Renewing the UK adequacy decision, criticising the DPDIB, and a Kate Middleton-related data breach.

There's rarely a quiet week in data protection — and this one was no exception. Below are three developments from the past seven days that caught my eye.

Story #1: Will the EU renew its adequacy decision for the UK?

You may remember that the first half of 2021 was spent predicting/worrying about whether the European Commission would issue a finding of data protection “adequacy” for the UK following its withdrawal from the EU.

After much teeth gnashing — a mixture of performative politics and genuine concern about the UK’s post-Brexit approach to data protection — the Commission issued the adequacy decision in June 2021. It’s intended to last until 27 June 2025, at which point the Commission can extend the decision or let it expire.

Last week, the House of Lords launched an inquiry into the UK’s adequacy arrangement. The European Affairs Committee will assess:

• The existing arrangement and possible challenges to its renewal; 
• The implications of it not being renewed; and
• Lessons learned from other countries’ experiences with the adequacy system.

The Committee is expected to issue its findings by July 2024.

Concerns and challenges with the Data Protection and Digital Information Bill

But why now?

A key factor in the Commission's decision is the fate of the Data Protection and Digital Information Bill. However, it’s far from certain that the Bill will even become law. 

The UK will most likely have a general election this year — an election that the Conservative Government is expected to lose. And although Parliament last month approved a carry-over motion in respect of the Bill (which allows it to be carried to the next legislative session) one might reasonably conclude that the Government’s energies will be spent elsewhere as election season kicks into gear.

Even if that’s not the case, the passage of the Bill hasn’t been plain sailing. It’s received pushback from members of the House of Lords, and last week the Information Commissioner provided his (not entirely positive) view on the current draft. 

Implications of UK's adequacy decision not being renewed

In 2021, the UK’s regime looked broadly the same as the EU’s. That’s to say, GDPR plus national implementing law. Indeed, it still does. What concerned European legislators were statements coming from British politicians signaling their intention to rip up Brussels red tape and position the UK as a light-touch regulatory regime.

What’s different now is that the UK has legislation making its way through Parliament that will replace the GDPR. The Commission can now see exactly how the Government intends to reshape Britain’s data regime.

But the Bill may die on the vine. As may the Government. 

The point is that neither of those things are likely to happen before the Committee issues its report. So the timing is somewhat curious.

Nevertheless, over the next 12 months you will be inundated with takes on the yeses, nos and maybes of UK adequacy (including by and from me), so it's good to be aware of, and hopefully prepared for, what's coming. 

Story #2: The UK ICO continues to criticise the DPDIB

If the fate of the UK’s adequacy finding from the EU is closely tied to the passage (and content) of the Data Protection and Digital Information Bill, the ICO’s position on the Bill should be instructive.

On Friday, the Commissioner gave his views to Government. 

We should start by saying the Commissioner “broadly supports” the Bill. Nevertheless, what follows in the Commissioner’s document will be grist to the mill for those looking for reasons to support the narrative that (1) the Government will loosen the UK’s data protection regime, such that (2) the UK no longer offers adequate protection for personal data, and (3) its adequacy finding shouldn’t be renewed.

High-risk processing activities and the ICO's concerns

The Commissioner notes that “many of the technical comments” he previously made “remain unaddressed”.

His concerns remain around the failure of the Bill to specify high risk processing activities and its removal of the ICO’s ability to designate certain processing activities as “high risk”.

Of course, controllers may welcome the ambiguity of this approach, and the Commissioner himself anticipates “significant room for challenge” from organisations in the event of enforcement action.

However, the EU’s decision to renew adequacy is not based on the ease of compliance, but the protection of individuals’ personal data. Will the Commissioner's concerns be read favourably in Brussels? Probably not.

Europeans will also note the Commissioner’s assessment of the Government’s powers to compel banks and other parties to provide information about individuals suspected of benefits fraud.

I’ve written previously about this nuanced area, which involves core data protection concepts such as necessity and proportionality. 

As the Commissioner notes, the issue is not that the processing can't take place, but that it needs guardrails to ensure that processing is lawful, fair, transparent and so on. The Commissioner says the current draft of the DPDIB doesn't do this. 

Potential impact on UK's adequacy finding

Needless to say, these provisions have drawn media attention in the UK. If the Bill passes in its current form, they will be cited in Europe as an example of standards that fall below the EU's — even though adequacy findings don't require the third country's regime to mirror the GDPR. But one can already envision the optics around the purported surveillance of vulnerable individuals. 

With all this being said, it’s not clear that the DPDIB will even become law (see my last post for my detail). 

So are we tilting at windmills?

In my view, no. Whether it's this Bill or another, the 12 months will be critical for shaping the UK's post-GDPR regime and any ongoing adequacy decision. So stay tuned.

Story #3: Royal data breach at Kate Middleton clinic 

People in the UK can currently be grouped as follows: (1) those who have no interest in the whereabouts of Kate Middleton; and (2) those who have no interest in anything other than the whereabouts of Kate Middleton.

Yesterday, the news broke that at least three staff members of the clinic where Kate reportedly underwent surgery in January had attempted to access her private medical records. The details are a little thin, but the UK ICO confirmed that it had received a personal data breach notification from the clinic, which is currently investigating the matter.

Most personal data breaches (here, the unauthorised access to personal data) don’t raise the spectre of criminality, and nor should they. But these facts are a little different — and not necessarily because the individual involved is a member of the royal family.

Criminal offences and unlawful access to personal data

The UK Data Protection Act 2018 makes it a criminal offence to obtain (or disclose) personal data without the controller’s consent. The ICO has previously pursued a small number of criminal prosecutions against individuals for unlawfully accessing personal data, and given the wider circumstances, it wouldn’t be a surprise to see a prosecution and/or police action here.

In the UK, medical records are now mostly, albeit not entirely, electronic.

Although that makes them more susceptible to certain types of data breach (e.g., a system-wide outage or compromise), it should also allow for stricter access controls. One would think that security for royal patients is of the strictest possible standard, so it will be interesting to learn more about how Kate's records were accessed.

Of course, employees can — and do — act outside the scope of their employment. A “frolic of his own”, as the English courts have termed it.

Precisely that issue arose in the Morrisons case in 2020, in which a revengeful employee publicised the details of around 100,000 of the company’s employees. In that case, Morrisons was found not to be vicariously liable for the actions of its employee. A similar defence may be used here.

Data breaches don’t often involve a single individual; not reportable ones, at any rate. But there is of course no minimum threshold — and particularly where sensitive data are involved, the thresholds of risk and high risk are more easily met.

Security of royal patients' medical records

That said, we can’t escape the wider context here. If the individual in question was a civilian, would the clinic — or any similarly situated organisation — notify the ICO? I’ll leave that for you to decide.

In any event, the general public seems to be most interested in the authenticity of Kate Middleton photos and sightings. However, the medical records story (which is at its heart a privacy and data protection story) is just as important, and contains salient lessons for organisations all of types and irrespective of whether their processing activities include Royal data.

Subscribe to Ropes & Gray Viewpoints by topic here.