8 min read

UK Legislative Developments and the Impact on Cyber

Read more

By Pavan Trivedi

|

Published 30 September 2022

Overview

Much has been written about the UK’s data protection legislation reform agenda and its apparent lack of impact on the world of cybersecurity. However, there are certain key points which organisations should be aware of, which we summarise below.

Data Protection and Digital Information Bill (the “DPDI Bill”)

The DPDI Bill was introduced into the House of Commons in July 2022 but has stalled following the summer recess and the appointment of the new Prime Minister, Liz Truss. The DPDI Bill has been incorrectly reported as having little to no impact on cyber. In particular, there are noteworthy changes proposed to the ICO’s enforcement powers, as highlighted below.

Currently, the ICO has a range of existing enforcement powers, from serving Information Notices (requesting provision of information required to help the carrying out of statutory functions), to Assessment Notices (permitting the ICO to assess whether an organisation is complying with data protection legislation), through to Enforcement Notices and Penalties. However, the consultation1 sought responses on three key proposed enhancements to the ICO’s enforcement powers, as follows:

Power to commission technical reports

When investigating data protection legislation infringements, the ICO has apparently faced challenges obtaining information from organisations regarding the technical and organisational measures that were in place at the time and as to the remedial measures to be applied. The perception is that this challenge is borne out of an attempt to hide internal failings and vulnerabilities identified as part of the organisation’s own investigation (whether internal or by a third party specialist provider).

The government proposed introducing a new power for the ICO to be able to commission an independently-produced technical report to inform investigations, which is akin to the power the FCA currently has under the Financial Services and Market Act. The intention is to limit this power to particularly complex and technical investigations where there is a significant risk of harm or detriment to data subjects. It is noted that the ICO will have the power to impose a monetary penalty notice where an organisation has failed to assist the “approved person” who is appointed to prepare the report.

The proposal has been included in the DPDI Bill2 but we are concerned as to how these reports will be treated in terms of priority as against internal reports that are commissioned by the organisation from specialist third party forensic investigators, for example.

Power to compel witnesses to answer questions at interview

Organisations have an existing duty to cooperate with the ICO3 but there has been a perceived reluctance of individuals to fully cooperate with investigations, including a refusal to be interviewed. As part of the consultation, the government proposed introducing a power allowing the ICO to compel witnesses to interview in the course of an investigation4.

The DPDI Bill introduces this power5, but its use is limited to circumstances where the Commissioner suspects that a controller or processor has: (i) failed, or is failing, as described in s149(2) the Act, which includes non-compliance with chapter 2 of the UK GDPR (the Principles), data subject rights and obligations on controllers and processors, for example; or (ii) has committed, or is committing, an offence under the Act.

Amending the statutory deadline for the ICO to issue a penalty following a Notice of Intent

In the consultation, the government proposed amending the statutory deadline for the ICO to issue a penalty following a notice of intent being issued from 6 to 12 months6. The Act currently provides that a penalty notice given in reliance on a notice of intent must be issued within 6 months from when the notice of intent is given7.

The DPDI Bill allows for the Commissioner to have more time to issue a final penalty notice after issuing a notice of intent where needed. This change creates a level of uncertainty for organisations that are in receipt of a notice of intent as it is unclear how long the Commissioner can extend time for given the absence of a cap. However, it is noted that the Commissioner will be required to publish guidance on the circumstances in which more than 6 months is needed in order to make a decision as to whether to issue a penalty notice or not.

Following the recent change in Prime Minister, we understand that further changes may be afoot with the Bill, and we shall keep a watching brief over it for this reason.

Product Security and Telecommunications Bill (the “Security Bill”)

A further Bill, which was introduced in November 2021 but which has garnered less attention than the DPDI Bill is the Security Bill which aims to protect consumers from cyber-attacks by ensuring that device manufacturers, importers and distributors, develop and market devices which meet more stringent cybersecurity standards. This new security standard will need to be regularly updated and manufacturers will be required to have an appointed representative for reporting software vulnerabilities with the goal on increasing consumer confidence.

The Government reported that in the first six months in 2021, there were 1.5bn attempted compromises of connectable products which is double the equivalent figure from 2020. This figure stems from the increase in smart devices now installed in the average UK household which was estimated to be nine or more in 2020.

The Bill has progressed through the House of Commons and has been scheduled for its report stage in the House of Lords in October 2022.

Conclusion

The UK, like the US and Canada, is currently undergoing a comprehensive reshaping of its data protection and privacy legislative regime. However, with the postponement of the second reading of the DPDI Bill and talk of an entirely new Bill being published, it is difficult to anticipate the direction of travel with the legislative reform that is underway. We will continue to keep the DPDI and Security Bills under close review and shall report further when new developments are announced.

1See section 5.7 of the consultation.
2See clause 35 of the Data Protection Bill.
3See section 63 Data Protection Act 218.
4See section 5.7 of the consultation.
5See clause 36 of the Data Protection Bill.
6See section 5.7 of the consultation.
7See Paragraph 2 of Schedule 16 to the Act.

Author