Codes of conduct can build a bridge between the UK and the EU
While Brexit rhetoric remains a driving force of government policy, codes of conduct can provide a bridge between the UK and the EU. Professional and personal links developed over many years are proving resilient for mutual advantage.
The ICO quite rightly devotes substantial staff time and resources to working with stakeholders to develop codes of conduct in several areas where the UK law’s principles and provisions are open to wide interpretation and where a consistent approach among the competing companies is seen as clearly desirable. Such ICO codes of conduct include:
- the Children’s Code (Age Appropriate Design Code) for online services, such as apps, online games, and web and social media sites, likely to be accessed by children, which enters into force on 1st September (PL&B UK Report May 2021).
- the Data Sharing Code (PL&B UK Report January 2021) which the government laid before Parliament on 18 May after the DCMS had received 282 responses from across the public sector, civil society, industry and academia, as well as from members of the public, and will soon enter into force.
Most developed countries with data privacy laws face similar problems and companies operating in them generally prefer a common legal framework. It is clear from Slaughter and May’s survey of their clients’ attitudes to different EU and UK laws on the same issues (p.4) that “The key priorities with these mainly large companies were to gain clarity, stability and interoperability…. [Companies’] outlook for the UK regime was not to diverge too far from the EU regime or put UK adequacy at risk.” Companies can see benefits from the EU and UK Standard Contractual Clauses being very similar, as it saves time, money, and unnecessary complexity.
EU approved codes of conduct
The same principle applies to EU codes of conduct – see PL&B Conference 2021 Session 4 International cloud codes of conduct: Building an environment of trust, chaired by Helena Wootton, PL&B data lawyer and trainer. On 19 May, the European Data Protection Board gave a positive opinion to two international cloud codes of conduct which were then approved by the Belgian Data Protection Authority on 20 May and a separate cloud code of conduct by France’s CNIL on 11 June.
The relevance to the UK is that many multinational companies operate in both the European Economic Area and the UK and therefore a carefully worked out and agreed code of conduct in the former can easily apply to the latter. In every case “a code puts operational detail to legal language and differences of view have been reconciled” said Antoine Bon, Legal Advisor, DPA, Belgium. The work in developing a code opens a dialogue with an industry via the monitoring body leading to a co-regulation, not a self-regulation process.
Every code needs a monitoring body. A code which has passed through a rigorous review process at international and national levels “flattens the playing field” explained Gabriela Mercuri, Manager Public Policy & Economic Affairs, SCOPE Europe, the monitoring body for the Belgian DPA approved cloud code. She continued that a code benefits business by increasing cohesion in an industry, and DPAs take mitigating factors into account if an organisation has complied with an agreed code.
A DPA is still there as the regulator. Paul Breitbarth, Director, Global Policy & EU Strategy, TrustArc, pointed out “DPAs are overburdened, so codes are a good way to take minor issues of their plates.” Michal Czerniawski, Legal Officer, EDPB, confirmed “Codes are useful as a cost-effective tool for compliance with the GDPR.”
A code provides a foundation on which other codes can be developed as all parties gain experience. In every case, there will be a need to identify an appropriate DPA with the time and capacity. Now the first GDPR-compliant codes have been approved, others are being developed, some with international reach and others which apply in only one country. Examples of codes being developed include ones on gambling with Malta’s DPA, marketing with Spain’s DPA and even a national one for condominium owners.
The work is never finished. International transfers have been a later supplement to the Belgian approved international cloud code, and liability is not covered at all.
DPA cooperation the norm
With such activity on codes at EU level, it would make good sense for the UK to closely follow this model so that any EU codes of conduct provide a template for an essentially equivalent UK code in a specific sector. The Swiss have followed this pattern in the revision of their data protection law to remain compatible with the GDPR but with some distinctive Swiss features (PL&B International Report October 2020).
I suggest that codes could provide a bridge between the UK and the EU, as most companies will surely consider that very similar codes, prepared with substantial corporate input, provide a unifying force with greater certainty, lower costs and less risk.
The way forward should be harmonious. ICO and the European Data Protection Board members have been accustomed to working together for many years. Such cooperation has rolled over, for example, on sandboxes with the ICO, France’s CNIL and Norway’s Datatilsynet. All European DPAs are members of the Global Privacy Assembly (GPA) and many are members of the GPA’s Digital Consumer Working Group, and the Global Privacy Enforcement Network. International cooperation is the norm so it should equally apply to codes of conduct.
Opportunity to cooperate with PL&B on Sponsored Events
Please send us your ideas for sponsoring webinars and podcasts outlining the subjects, potential speakers and the month you would prefer. You will be able to build your brand awareness with PL&B as your globally recognised and trusted partner. See our previous webinars and podcasts.
Of course, we are also keen to hear from you with suggestions for articles for PL&B Reports.
Stewart Dresner, Publisher
UK Report 116
UK receives data adequacy but under a watchful EU Commission
The UK is confident that its own adequacy decisions will not cause a threat for UK EU adequacy, or lower its data protection standards. Laura Linkomies reports.
Amex’s £90k marketing fine: Risk-based approach or bold interpretation of PECR?
Only three complaints to the ICO were enough to trigger an investigation. Marta Dunphy-Moriel and Alexander Dittel of Deloitte Legal analyse the case.