ICO’s and EDPB’s Room for Manoeuvre in the Age of Brexit?

At the conference I attended in Brussels on Tuesday evening, 9 July, Data Protection and Competitiveness in the Digital Age, the members of the European Data Protection Board were among the 300 participants, as it was the middle evening of their two day monthly meeting.

This event was hosted by the European Data Protection Supervisor and Germany’s new Federal Commissioner for Data Protection and Freedom of Information, Ulrich Kelber.

Andrea Jelinek, Chair of the European Data Protection Board (EDPB), was on her way back from the Schrems case hearing of the Court of Justice of the European Union in Luxembourg. Elizabeth Denham was chosen to replace her (rather than one of the two EDPB Vice-Chairpersons) on the panel in her capacity as Chair of the International Conference of Data Protection and Privacy Commissioners.

This recognition of Denham’s international status was a stark reminder that if the UK leaves the EU, there will be a lose-lose impact for both the UK and the EDPB. From both perspectives, there is a clear advantage for the UK to be fully integrated with the decision-making of the EDPB in terms of dealing in a consistent manner with multi-country complaints and decisions on the level of proportionate fines and other sanctions.

In recent days, the ICO has shown its muscular potential for imposing large fines (p.6) both much higher than the CNIL’s €50 million fine on Google in France. Importantly, these UK fines were on British Airways and Marriot Hotels, which are not large US tech companies. These decisions make the point that the GDPR is for everyone. As the ICO now has more staff and more financial resources than any other national DPA, it can and does play a very active international role.

The ICO takes the lead on 10 EDPB working groups and has also been the lead DPA on more Binding Corporate Rules decisions than any other country. If the UK leaves the EU, companies currently working on BCRs with the ICO will have to find another Data Protection Authority in the European Economic Area (EEA) which could be at Land (state) level in Germany or a member of the EEA, Norway, Iceland or Liechtenstein.

Independence of the European Data Protection Board

The European Commission’s position, citing GDPR Art. 68.3, is that only Member States of the European Union may be members of the EDPB. On a strict interpretation, that means that after Brexit, the ICO could not be a member. However, we know that the three members of the EEA do attend, and may act as rapporteur for sub-groups (Norway PL&B Int Report October 2018 p.4) and vote, although their decisions are recorded separately from those of the Member States.

Most DPAs on the EDPB appreciate the UK’s contributions. But there is a clear tension between the European Commission, which upholds the legal status of the GDPR and is a non-voting member of the EDPB (GDPR Art. 68.5); and on the other hand, the EDPB which has “independence” and “in the performance of its tasks or the exercise of its powers, [shall] neither seek nor take instructions from anybody.” (GDPR Art. 69.2).

While we wait to see how this conundrum will be resolved in the event of Brexit, Elizabeth Denham has worked to strengthen the ICO’s international ties both on the wider international stage, for example at the G20 in Japan (p.9) and within the EU.

For example, on 12th April, Denham visited Ulrich Kelber and his team at Germany’s DPA. The news item on the latter’s website states (in translation) “Under the heading ‘Brexit’, issues of future practical cooperation between ICO and BfDI in the event of the withdrawal of the UK from the EU, and related issues such as appropriate guarantees for international data transfers, were also discussed.”

The clear ambition of the ICO is to stay within the EDPB but be prepared to maintain bilateral ties if that becomes impossible. While the European Commission is strongly against the UK leaving the EU, it would make sense for both sides if the EDPB were to take a pragmatic decision and find a way for the ICO to stay onboard somehow.

We will report on whatever progress has been made in the September edition of PL&B United Kingdom Report.


Stewart Dresner, Publisher


UK Report 104

Lead story:

ICO’s Denham: Children’s code and Adtech key pieces of work

As the ICO issues its AdTech report, a response to the government’s Online Harms paper and prepares the Children’s code, the regulator is firing on all cylinders. By Laura Linkomies.

Contents also include:

  • Comment: Pan-European enforcement to start and finish for the UK?
  • ICO in Northern Ireland
  • National data strategy
  • Real Time Bidding
  • Age Appropriate Design
  • Room for manoeuvre after Brexit?
  • Data transfers: Unlocking the value of analytics in a 5G world
  • Model Clauses are out of date
  • Challenges for DPOs
  • EIRs: Decision on costs
  • ICO intends to fine BA £183 million and Marriott £99 million
  • ICO’s future plans
  • Elizabeth Denham at G20
  • Upper Tribunal seeks members
  • People in dark about their data
  • ICO issues cookie guidance
  • Class action cases advance
  • SARs when under administration
  • EU review of adequacy decisions well underway
  • ICO report: GDPR one year on
  • Study considers privacy and crisis management
  • White Paper on online harms threatens freedom of expression
  • Government eyes crime-busting data analytics