Post-Brexit, domestic and international regulation regimes on data protection adequacy and transfer have diverged. This means they could be reviewed and updated independently and further divergence may occur in the future.

Your personal data transfers across the globe – whether intra-group or with your suppliers, will need to be a number one priority in 2022. A perfect storm of regulatory requirements need practical initiatives deployed to meet new requirements for EU data transfers and UK transfers.   

Retailers need to:

1. Identify data flows from the EU and the UK to non-adequate countries – this needs to think about supply chain data sharing together with your own intra-group sharing. 

2. Determine a practical approach to running transfer impact assessments / transfer risk assessments as required by EDPB guidance and UK ICO guidance. 

3. Be prepared for re-papering your existing Standard Contractual Clauses in place – recognising that UK transfers will need UK repapering (to be announced by the UK ICO) and EU transfers using the new SCCs – old contracts need replaced by the end of the year for European sharing. 

The need for running assessments for transfers may also provide a useful opportunity to work out what data flows are happening across their business. AG has launched its Data Transfer Express Tool to assist clients with their approach to data transfers. Contact Ross McKenzie for further details.

Tracking technology and the regulation of cookies is subject to scrutiny and may be updated under UK data law reforms. Potential reforms include changing the current operation of tracking technology so that consent is no longer required by law or that in certain circumstances consent is not required. EU equivalent regulation is also being considered for review which would also affect current tracking practices.

Retailers will need to carefully consider their strategy for use of adtech and cookies with technology providers like Apple slowly pushing against use of tracking technology. 

Advertising agencies are focussing much more on consent strategies with consumers to enable tracking tech to continue to be compliant. However, regulators across Europe and the UK are circling around these practices with enforcement action against adtech approaches like in Belgium where the regulator found the IAB framework to not meet data protection standards. 

Any consent for placement of tracking technology needs to be meet GDPR consent standards – with more consumers becoming aware of the need to be upfront on data collection. 

Retailers should be carefully examining their data collection and sharing across their digital infrastructure to ensure that practices are transparent and consent is secured from consumers for tracking.

Traditionally seen as the lower risk end of consumer engagement, traditional 'legitimate interests' justifications around the use of data from data broking agencies was called into question by an ICO investigation and enforcement against Experian. An enforcement notice has been issued against Experian requiring them to rectify shortcomings around transparency and the legal basis for using information. This decision is currently under appeal to the Information Tribunal. The implications of this decision, if upheld, could run deep for all controllers who have relied on data from the likes of Experian for vital insights into individual consumers.

There are potentially wider implications for marketing practices generally which use legitimate interests rather than consent as a legal basis and some questions have been raised around whether this decision will mark a move away from non-consent based marketing models. However, the DCMS's recently published government consultation paper "Data: A New Direction" specifically addresses the need to for the government to provide more clarity on when legitimate interest can be used by businesses. An interesting topic that may prove to be a UK differentiator post-Brexit.

The European Commission has published ambitious draft legislation to regulate AI systems. The EU is keen to ensure that EU member states are at the forefront of new technologies, whilst ensuring that the fundamental rights enjoyed by individuals and businesses in the EU are preserved. Approaches in the UK are likely to be informed by the EU.

The proposals deliberately cast a wide net looking to apply to businesses inside the EU as well as businesses located outside the EU where an AI system is sold in the EU or results in affecting people in the EU. Similarly, a wide range of AI systems will be caught by the proposed Regulation. For retail and consumer businesses, examples of high risk AI systems include data scraping (for threat and / or security purposes) and systems intended to evaluate the creditworthiness or credit score of individuals.