One of the last pieces of legislation to be passed by Parliament prior to the 2017 General Election was the Digital Economy Act which brings welcome changes in a variety of areas, some of which, arguably, are long overdue.
While many of the provisions are specific to particular industries and sectors, the Act will introduce changes specific to data sharing and direct marketing.
About the Act
The Act, which received royal assent in April 2017, covers a wide variety of measures relating to the digital economy, including:
- media and telecoms;
- intellectual property and technology; and
- data protection.
The Act was heavily scrutinised during the legislative process by both Houses of Parliament, however it is well-intentioned. At its heart, its aim has been to build a “more connected and stronger economy”, according to Matt Hancock, Minister of State for Digital and Culture.
Certain provisions of the Act came into effect immediately and are already in force. Many of the provisions, however, will require secondary legislation to be passed before they come into effect.
The Act addresses two particular areas in relation to data protection; direct marketing and data sharing.
Under the Act, the Information Commissioner’s Office (ICO) will prepare a direct marketing code of practice which complies with legal obligations set out in current data protection legislation, including the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communication Regulations 2003 (PECR).
Although the ICO published guidance on direct marketing in 2013, it does not have any formal status. The new statutory code of practice, although not legally binding, will be admissible in evidence. As with other formal codes prepared by the ICO, the code must be taken into account by the ICO, the tribunals and the courts in certain cases.
Provision for a statutory code has been welcomed by the ICO as a useful tool in ensuring organisations comply with direct marketing rules, particularly in relation to spam email and nuisance calls. This will become increasingly important given the stricter rules that will come into force in 2018 under the General Data Protection Regulation (which will replace the DPA) and the proposed ePrivacy Regulation (which will replace PECR).
Specific measures under the Act aim to improve public services through better use of data while safeguarding citizens’ privacy. These data sharing provisions set out a variety of situations in which personal data can be shared more easily between public sector bodies on the basis it will improve efficiency and service delivery within public services.
Although various provisions address the confidentiality of personal information, there are a number of exemptions permitting disclosure, and these have attracted widespread criticism given the concern over the risk of excessive disclosure.
The ICO made several recommendations to build in safeguards. Organisations that share data under the Act must take into account the ICO’s codes of practice on privacy impact assessments and privacy notices. These codes of practice must be reviewed by the ICO and be consistent with the ICO’s current data sharing code of practice. Four codes of practice have already been published in draft unapproved form.
The data sharing provisions of the Act require a statutory instrument before they can be commenced. (On 1 October 2017, provisions relating to the disclosure of information to improve public service delivery (s. 35) and to gas and electricity suppliers (s. 36) come into force, but solely for the purpose of making regulations.)
As part of their preparations for the GDPR and the ePrivacy Regulation, organisations that engage in direct marketing should ensure that they review their existing practices and procedures against the new direct marketing code once it has been published by the ICO.
Concerns have been raised about the extent of government data sharing under the controversial new data sharing provisions and whether the safeguards are sufficient, particularly given that the government did not accept some of the ICO’s recommendations. Some critics say the Act potentially conflicts with the General Data Protection Regulation, and we await further commentary on this.
Overall, the disparate nature of the Act perhaps reflects the inevitable struggle for law and regulation to keep up with the fast pace of new technologies. Over the coming months, it will be interesting to see whether the Act has sufficient strategic focus for the growth of the digital economy in such a period of political and economic flux, particularly given the UK’s departure from the EU and the world’s biggest digital economy by 2019.
Claire Shepherd Malins is a Senior Solicitor in Brodies’ Commercial Services division.
This column is provided through DB Media Services