The UK’s independent data protection policy

It is well known that the UK must forge its own data protection policies after Brexit, as the government does not wish to rely on policy positions drafted by, and negotiations conducted with, the European Commission.

The consequence is that the UK government must decide on a strategy and then recruit and deploy many people with expertise to develop its policies. It has to work out what should be the UK’s detailed positions on a wide range of issues both in the domestic sphere and also involving international data transfers, such as:

negotiating with the EU on their view of the UK’s law and vice versa; negotiating adequacy of EEA Members States’ laws from the UK’s perspective; bilateral discussions with currently EU “adequate” non-EU countries, such as Switzerland, Canada, the Channel Islands and the Isle of Man; new countries for a UK adequacy review, for example, South Africa, Brazil and India; sectors in other countries; specific jurisdictions, for example, California, Hong Kong and Macao; a future permanent role for the ICO on the European Data Protection Board, as part of “regulatory cooperation” rather than, as starting in February this year, the ICO attends only when invited; Binding Corporate Rules, codes of conduct and certification; international organisations, such as the WTO and the G20; APEC and its Cross-Border Privacy Rules.

Impact of the coronavirus

Last week, responding to public concern about the coronavirus outbreak, the ICO published a statement which emphasised that it is “a reasonable and pragmatic regulator, one that does not operate in isolation from matters of serious public concern [so] we will take into account the compelling public interest in the current health emergency.” 

We at PL&B have many years of experience of remote working and have developed a Plan B for our 33rd Annual International Conference.

Sandbox progress report

It is now six months since the launch of the ICO’s sandbox, where tech companies are testing out their concepts and prototypes in a legal safe place. We covered the experience of Onfido and their work on a facial recognition identification system last September (PL&B UK Report September 2019 p.1). On 9 March, the ICO published an update on this project in which Ian Hulme, Director of Regulatory Assurance, explained the benefits to the ICO in terms of engaging with real world examples of various types of tech ensuring that “ innovative products with considerable public benefits do not come at the cost of privacy rights.”

We at PL&B are making our own contribution on privacy aspects of biometric identification by:

• publishing Confronting the challenges of vendor management in biometrics,
• reporting on our survey Considerations when introducing a biometric identification system, and
• sending our Recommendations and questions to the ICO following our 29 January Roundtable on biometric identification techniques in a commercial context

Nowhere to Hide, PL&B’s 33rd Annual International Conference

We will continue to cover biometric issues. Neal Cohen, Director of Privacy for Onfido will give his company’s positive perspective and chair a panel on Privacy: A data scientist’s perspective at Nowhere to Hide, PL&B’s 33rd Annual International Conference 29 June to 1 July 2020 at St. John’s College, Cambridge. He will be joining some 50 speakers from many countries in around 30 sessions. The 20% discount registration period has now been extended until the end of March.

The conference programme: We expect to publish the full daily programme before the end of March. Meanwhile, you may register now and amend the names of the participants later. In addition, different members of your team may attend on different days. 

The PL&B Team works in several locations so we are as well prepared as we can be to continue our services during the current health crisis. We trust that we will all find a way to flourish into the future.


Stewart Dresner, Publisher


UK Report 108

Lead stories:

UK seeks an independent data protection policy

Full alignment with the GDPR cannot be taken for granted any longer as Boris Johnson, the Prime Minister, steers away from commitments
made in the Withdrawal Agreement. By Laura Linkomies.

ICO publishes final online Age Appropriate Design Code

DPIAs, high level privacy settings and switching profiling “off” by default are aspects required by this code, subject to Parliamentary approval. By Ben Slinn of Baker & McKenzie.

Click for full contents list