The Information Commissioner’s Office (ICO) has published its letter (ICO Letter) in response to the UK Government’s request of 24 December 2024 that the UK’s main regulators set out their ideas for reform that could boost economic growth. Whilst the Government’s request reflects its growth agenda, it also arguably builds on the previous Government’s smarter regulation programme (see our blog from May last year).
The ICO framed some of its ideas as commitments to take various steps as opposed to just proposals. Whilst some of the commitments reflect actions that we knew the ICO had already planned to take, others are new.
Greater clarity on privacy compliant use of AI
The ICO has acknowledged that there is a sprawl of guidance around AI and data privacy compliance which is hard for organisations to keep on top of. Most recently this includes the ICO’s consultation and response on Gen AI (see our most recent blog on this) and its report on AI in recruitment (see our previous blog).
The ICO has now committed to publishing a single set of rules for those developing or using AI products to make it easier for them to innovate and invest responsibly in a privacy compliant manner. The ICO has proposed that the UK Government legislate to make such rules a statutory code of practice to provide further regulatory certainty to businesses. This could for instance be addressed as an amendment to the Data (Use and Access) Bill (Data Bill) which is currently making its way through the UK Parliament.
Expansion of ICO’s work on innovation
The ICO has been operating its Regulatory Sandbox for over five years to support organisations who are developing innovative products understand and address their privacy implications. Since its inception, many organisations have benefitted from the sandbox, either as one of the organisations who have been accepted into the programme, or from the learnings in the ICO’s reports on its sandbox work.
The ICO Letter says it will now expand the support that the sandbox provides by seeking to implement an experimental regime by giving businesses a time-limited derogation from specific regulatory requirements. The ICO has said it would welcome the UK Government legislating for such a regime, so it is not clear if the ICO believes it can implement this idea without changes to the legislative framework. If legislative changes were to be made, consideration could also be given to whether the derogations could and should trigger a moratorium on private actions being brought for non-compliance.
The ICO has also committed to progressing new and refreshed innovation-focused guidance, including on neurotech, cloud computing and Internet of Things devices.
Simplification of online advertising rules
As we noted in a previous blog, one of the ICO’s areas of focus is online advertising. The ICO Letter acknowledges that there are aspects of this that businesses find difficult or burdensome to navigate. The ICO has therefore committed to reviewing where the consent requirements under the Privacy and Electronic Communications Regulations are preventing an industry-wide shift towards more privacy-friendly forms of online advertising.
The ICO goes on to commit to publishing a statement outlining low-risk processing purposes (such as privacy-preserving ad measurement) which it considers are unlikely to result in damage or distress or be a priority for enforcement action. It therefore concludes that it would support the UK Government in introducing legislation to remove consent requirements in these areas. The Data Bill already proposes to remove the consent requirements in some cases, and whilst not completely clear, the ICO Letter appears to be advocating for an extension to these exemptions.
Quicker and easier international transfers
The ICO acknowledges that the international transfer of data underpins a significant amount of UK exports. However, we know that the requirements around data transfers have been burdensome for businesses. The ICO has now committed to publishing updated guidance which it says will make it quicker and easier to do so. Given the need to maintain the adequacy decision from the EU (which is due for review this year), it will therefore be interesting to see whether this new guidance reflects a real step change from the current position.
Support for smart data schemes
The Data Bill sets out a framework for smart data schemes to enable the secure sharing of customer data (see our previous blog). The ICO Letter has picked up on this, stating that it will continue to support the introduction of such schemes, helping customers port their data between services in a privacy compliant manner. Its first focus is on continuing to work with the UK Financial Conduct Authority on Open Finance, ie the extension of open banking-like data sharing to a wider range of financial products.
Outlook
The ICO has generally always been a pragmatic regulator and keen to support innovation. It is therefore not surprising that its response to the UK Government reflects this. The ICO’s ideas should be welcomed by businesses, but of course the real test will be in how effective it is in implementing them and whether it can achieve this in a timely manner given the various demands on its limited resources.
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-01-30-10-00-10-064-679b4daa8638bf829f66336a.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-01-24-11-41-05-755-67937c51312d8a93f10ce419.jpg)
/Passle/5badda5844de890788b571ce/SearchServiceImages/2025-01-16-15-01-28-613-67891f48d45066607fa2145f.jpg)
/Passle/5badda5844de890788b571ce/MediaLibrary/Images/5cc2b50a989b6e0d381e1c2e/2019-08-05-15-19-03-009-5d4848e78cb62302888e96e4.jpg)