Data protection monthly overview

In this month’s Data Protection round-up: a lack of awareness for the Children’s Code, new ICO guidance is in the offing and the Government’s Digital Markets Unit takes shape.

A quarter of businesses are still unaware of the Children’s Code

At the beginning of March 2021, the ICO conducted a survey into business awareness of its Children’s Code, an initiative that outlines a code of practice for all online services (including apps, games and social media) that are likely to be accessed by children. Despite the code coming into force on 2 September 2020 (albeit with a 12-month grace-period for compliance), initial findings of the 500 surveyed, participants suggested that close to 25% of businesses are still unaware of the code and therefore unlikely to be compliant with its objectives.

The code sets out 15 standards that organisations must meet if they are to show compliance by 2 September 2021. The standards include not using “nudge techniques” that might encourage children to provide unnecessary personal data and “age-appropriate application” that encourages organisations to establish the ages of their audience with a level of certainty. Full details on the code and how meet the compliance objectives can be found on Children’s Code hub | ICO

The ICO has confirmed that it will consider non-compliance of the Children’s Code in the same manner as any disregard for people’s data. As such, organisations not meeting the prescribed standards are at risk of the ICO’s maximum fine of 4% of global turnover.

ICO will update its anonymisation guidance

In a blog by Head of Technology Policy Ali Shah, the ICO confirmed its intention to update current guidance on anonymisation and pseudonymisation. Anonymisation refers to the practice of manipulating information so that it no longer relates to an individual, and once the data has been truly anonymised, it can no longer be considered personal data and therefore not subject to the applicable legislation. Pseudonymisation on the other hand, refers to the data that cannot be attributed to a data subject without the use of additional information.

The ICO’s key guidance in this area, the “Anonymisation: Managing data protection risk code of practice” has not been updated since 2012. Technological advances and reliance on data sharing has changed enormously in the last 9 years (including the introduction of GDPR and DPA 2018). This will therefore come as welcome news to those in the financial services or healthcare environments, whose sectors will most benefit from a new code of practice. Each chapter of the guidance will be published ahead of full public consultation in the near future.

The new Digital Markets Unit

This week the Government published the terms of reference for a new unit tasked to prepare for the pro-competition regime of digital markets. The Digital Markets Unit (“DMU”), which will be set up in the Competition and Markets Authority, will currently operate in a shadow, non-statutory form, with full consultation taking place later this year and statutory footing as soon as possible. The DMU is part of the Government’s new “pro-competition regime for digital markets” which was announced in November 2020 and will work alongside an enforceable code of conduct and pro-competition interventions.

The key roles of the DMU are as follows:

• Carrying out preparatory work to implement the statutory regime;
• Supporting and advising the Government on establishing the statutory regime;
• Evidence gathering on digital markets; and
• Engaging with stakeholders across industry, academia, other regulators and Government.

As mentioned above, the Government is still finalising and considering the final form and function of the DMU but we do not expect vast changes. This announcement comes a short time after the CMA published its own Digital Strategy that contained a strong focus on building its knowledge of digital markets and strategizing on how best to use its existing tools to maximum effect in this sector.