Skip to content
Law Society of Scotland
Search
Find a Solicitor
Contact us
About us
Sign in
Search
Find a Solicitor
Contact us
About us
Sign in
  • For members

    • For members

    • CPD & Training

    • Membership and fees

    • Rules and guidance

    • Regulation and compliance

    • Journal

    • Business support

    • Career growth

    • Member benefits

    • Professional support

    • Lawscot Wellbeing

    • Lawscot Sustainability

  • News and events

    • News and events

    • Law Society news

    • Blogs & opinions

    • CPD & Training

    • Events

  • Qualifying and education

    • Qualifying and education

    • Qualifying as a Scottish solicitor

    • Career support and advice

    • Our work with schools

    • Lawscot Foundation

    • Funding your education

    • Social mobility

  • Research and policy

    • Research and policy

    • Research

    • Influencing the law and policy

    • Equality and diversity

    • Our international work

    • Legal Services Review

    • Meet the Policy team

  • For the public

    • For the public

    • What solicitors can do for you

    • Making a complaint

    • Client protection

    • Find a Solicitor

    • Frequently asked questions

    • Your Scottish solicitor

  • About us

    • About us

    • Contact us

    • Who we are

    • Our strategy, reports and plans

    • Help and advice

    • Our standards

    • Work with us

    • Our logo and branding

    • Equality and diversity

  1. Home
  2. For members
  3. Journal Archive
  4. Issues
  5. May 2021
  6. Data beyond Brexit

Data beyond Brexit

Data protection: A roundup of recent developments covering data transfers now that the UK is outside EU law, anonymisation guidance, and renewed scrutiny of the adtech industry
17th May 2021 | Ross Nicol, Muneeb Gill

In this roundup we discuss (1) the recent memorandum of understanding between the Department for Digital, Culture, Media & Sport (“DCMS”) and the Information Commissioner’s Office, which sets out the ICO’s role in future UK adequacy assessments; (2) the ICO’s announcement that it will update its guidance on anonymisation; (3) the practical implications of the Schrems II judgment on organisations wishing to use standard contractual clauses (“SCCs”) to transfer data outside the UK; and (4) the ICO’s ongoing investigation into the adtech industry, which was temporarily paused due to the COVID-19 pandemic.

1. ICO role in adequacy assessments

Prior to 1 January 2021 (and the end of the Brexit transition period), the European Commission had the power to make “adequacy decisions” in favour of non-EU countries that were deemed to have a level of data protection that was equivalent to that in the EU under the GDPR. UK organisations could freely transfer personal data to these “adequate” countries without the need to implement an international transfer safeguard under GDPR (which for most organisations usually meant entering into Commission-approved SCCs with the non-EU data recipient).

Post-Brexit, the Data Protection Act 2018 now empowers the Secretary of State for the DCMS to make UK “adequacy regulations” in favour of non-UK countries that are considered to have a level of data protection equivalent to that in the UK. Before making these regulations, the Secretary of State must consult with the ICO. While the UK has already adopted the European Commission’s existing list of adequacy decisions for the purposes of post-Brexit data transfers out of the UK, the Secretary of State will be responsible for expanding this list in future. The ICO and DCMS have now agreed a memorandum of understanding (“MoU”) that sets out the ICO’s roles and responsibilities in relation to future UK adequacy assessments by the Secretary of State.

The MoU breaks down the DCMS’s adequacy assessment process into four key stages, and sets out the ICO’s role in relation to each:

Part 1, gatekeeping, involves deciding whether or not to start an adequacy assessment in respect of a third country: the ICO’s role is to provide advice to DCMS on the third country’s data protection laws and practices.

Part 2, assessment, is the process of assessing the level of data protection in the third country: again, the ICO’s role is to provide advice to DCMS on the third country’s data protection laws and practices (e.g. the role and effectiveness of the country’s regulator).

Part 3, recommendation, involves the DCMS team making a recommendation to the Secretary of State, who decides whether to make a finding of adequacy in respect of that third country: the ICO will provide a response on the draft conclusions of the DCMS’s assessment of the third country, so this can be factored in to the recommendation to the Secretary of State and ultimately into their decision making.

Part 4, procedural, is the final phase, during which the relevant UK adequacy regulations are created, laid before Parliament and the ICO’s opinion is published: the ICO will provide advice and/or an opinion to Parliament.

Whilst the MoU defines the scope and extent of the ICO’s involvement in the adequacy assessment process, the Secretary of State is not bound by the ICO’s opinions and recommendations.

2. ICO guidance on anonymisation

The UK GDPR only applies to personal data (i.e. information from which a person can be identified). The practical consequence is that if data is anonymised – so that an individual can no longer be identified from it – it is no longer subject to these rules.

From a data protection perspective, anonymising data raises a number of difficult issues. Chief amongst these is the question of what level of “de-identification” has to be achieved in order for information to be considered anonymised under data protection law. This can be a complex assessment, and often involves making a judgment call on the likelihood or possibility of an individual still being identified – which creates the risk of subjective and divergent approaches from one organisation to the next.

The ICO’s current guidance on anonymisation was published in line with the Data Protection Act 1998, now replaced by the 2018 Act. Some data protection practitioners have expressed dissatisfaction that the guidance is lacking as it does not provide enough clarity on how to assess the degree of “de-identification” necessary to achieve anonymisation. This is not helped by the fact that, per the guidance, the assessment is to include consideration of “other information” that is available (e.g. in public), or that may become available in future – an unpredictable and sometimes unfeasible task.

However, help may be on the way. In a recent statement on its blog (19 March 2021), the ICO announced that it will be updating its guidance. This will include the spectrum of identifiability to be considered, and managing re-identification risk (covering concepts such as the “reasonably likely” and “motivated intruder” tests). Given the passage of time since the current guidance was published, and advancements in technology and data management practices, the updated guidance will also include guidance on privacy enhancing technologies and technological solutions for anonymisation. This is a welcome announcement from the ICO, and one that will hopefully bring more clarity to this often complex issue.

3. Standard contractual clauses

On 16 July 2020, the Court of Justice of the European Union handed down its eagerly anticipated judgment in the Schrems II case, which invalidated the EU-US Privacy Shield and set out additional requirements that must be satisfied when using SCCs to make international transfers of personal data outside the EU. The judgment requires that companies undertake additional diligence when relying on SCCs, to ensure that there is nothing under local laws in the receiving country that undermines the protections afforded in the SCCs. This is most relevant where there is potential for access to the personal data by public authorities (e.g. law enforcement and intelligence agencies). Where this is the case, the judgment requires that “supplementary measures” are put in place to provide additional safeguards.

The European Data Protection Board (EDPB) has published draft guidance on the necessary supplementary measures. While the UK is no longer part of the EU, this guidance remains relevant as the Schrems II judgment is, strictly speaking, applicable in the UK. The ICO has stated on its website, however, that it will publish UK guidance on supplementary measures in due course.

Given the complexity and divergence in data protection laws from country to country, the assessment to be carried out when using SCCs will likely be a complicated exercise for the majority of organisations – and one that will likely require specialist input. However, the EDPB guidance sets out a number of useful steps that organisations can take to assess what supplementary measures should be adopted when using SCCs to transfer data abroad.

    1. Know your transfers: You should map out the data that you are transferring to a third country, and ensure the data transferred are limited to what is necessary to achieve the purposes of the transfer.
    2. Assess the effectiveness of SCCs: You should assess whether there is anything in the law or practice of the third country that would make the protection afforded in the SCCs ineffective. This assessment should primarily be focused on legislation in the third country that impacts on the data being transferred under the SCCs (e.g. local laws that allow access to personal data or surveillance by law enforcement authorities and public bodies).
    3. Identify and adopt supplementary measures: Where your assessment reveals that the effectiveness of the SCCs will be impinged on by the laws and practices of the third country, you must identify and adopt appropriate supplementary measures to address this risk. The measures adopted should be in the context of your specific transfer, and the risks you have identified in the third country’s laws and practices.
      A non-exhaustive list of supplementary measures is included in the EDPB guidance. These include technical measures (e.g. encrypting the data at rest and in transit, or using pseudonymisation), additional contractual measures (e.g. contractually obliging the data recipient to use specific technical measures, or to challenge any request or order for access to data by a public authority or law enforcement agency), and organisational measures (e.g. requiring the data recipient to implement internal policies for the management and transfer of personal data, or to adopt strict and granular restrictions on data access and confidentiality within its organisation on a need-to-know basis).
      It is important to note that there may be circumstances where there are no supplementary measures that will ensure an appropriate level of data protection, and in these circumstances the transfer should not be made, or where it is already being made it should be suspended or terminated (and any data already transferred should be returned or destroyed).
    1. Procedural steps for adopting supplementary measures: You should take any formal procedural steps that are necessary to adopt the supplementary measures. For example, the supplementary measures must not reduce the protections afforded in the SCCs, and where they modify or contradict the terms of the SCCs, they must be approved by a supervisory authority (the ICO in the UK).
    2. Re-evaluate at appropriate intervals: You should re-evaluate at appropriate intervals the level of data protection afforded to the data you have transferred, including monitoring developments in the third country to identify any changes that might impact on your initial risk assessment.

4. Adtech: ICO’s investigation

On 22 January, the ICO issued a statement confirming the resumption of its investigation into real time bidding (“RTB”) and the adtech industry, which was paused in May 2020 to allow the ICO to prioritise activities responding to the COVID-19 pandemic. RTB is the process through which a website publisher auctions off advertising space on their website to advertisers that want to target the particular audience who will visit that site. This allows the ads that people are shown on a website to be specifically selected for them. This process often involves hundreds of companies, and is completed in a matter of milliseconds.

In June 2019, the ICO issued a report on its investigation into adtech and RTB, which outlined its concerns in relation to the industry’s compliance with data protection and e-privacy laws. In particular, the ICO was of the view that the creation and sharing of personal data profiles about people, and the scale on which this was happening, was “disproportionate, intrusive and unfair, particularly when people are often unaware it is happening”. The ICO also found that sensitive data (e.g. about a person’s health) were being used without people’s consent.

The ICO’s continuing investigation will include a series of audits on data management platforms (for which assessment notices will be issued to specific companies in the coming months), and will also review the role of data broking, which plays an important part in the RTB process.

The ICO has advised that organisations operating in the adtech industry should assess how they process personal data “as a matter of urgency” – a possible early indication that heavier regulatory oversight and enforcement action in this area are likely to follow.

The Author

Ross Nicol, partner, and Muneeb Gill, associate, Dentons UKIME LLP

Share this article
Add To Favorites
https://lawware.co.uk/

Regulars

  • People on the move: May 2021
  • Book reviews: May 2021
  • Reading for pleasure: May 2021

Perspectives

  • Editorial: May 2021
  • Opinion: Julia McPartlin
  • President's column: May 2021
  • Profile: Fiona Menzies
  • Viewpoints: May 2021

Features

  • Recovery phase?
  • Legal education: a reply
  • COVID challenges and tomorrow's lawyers
  • Take a break, make it nature
  • COVID, lost income and child maintenance

Briefings

  • Civil court: All in a month's work
  • Family: Contingent liabilities in company valuations
  • Employment: Updates from the bench
  • Human rights: When a child needs protection for life
  • Pensions: New initiatives to combat fraud
  • Data beyond Brexit
  • The Potter’s tale

In practice

  • SOLAS: update on a virtual year
  • Lawscot Foundation – five years on
  • Access issues in conveyancing
  • Pushing the tech frontier
  • The Word of Gold: What’s the core?
  • The Eternal Optimist: That "glow and tingle" feeling
  • Ask Ash: Grounded – no work travel!
  • Profile: Krista Johnston

Online exclusive

  • Foot off the pedal
  • Trans rights in the workplace: a matter of respect
  • COVID challenges and tomorrow's lawyers (full version)
  • Caravan sites: is COVID rates relief right?

In this issue

  • Transforming the client experience online – then and now
  • High tech, high powered
  • Law Society of Scotland member benefits 2021
  • BYOD and remote working: a new threat
  • New normal: how do you keep your firm's culture alive?
  • “We’re solicitors, not salespeople...”

Recent Issues

Dec 2023
Nov 2023
Oct 2023
Sept 2023
Search the archive

Additional

Law Society of Scotland
Atria One, 144 Morrison Street
Edinburgh
EH3 8EX
If you’re looking for a solicitor, visit FindaSolicitor.scot
T: +44(0) 131 226 7411
E: lawscot@lawscot.org.uk
About us
  • Contact us
  • Who we are
  • Strategy reports plans
  • Help and advice
  • Our standards
  • Work with us
Useful links
  • Find a Solicitor
  • Sign in
  • CPD & Training
  • Rules and guidance
  • Website terms and conditions
Law Society of Scotland | © 2025
Made by Gecko Agency Limited