Changes in the regulation of international transfers of personal data
There is much more dynamism and appetite for change in the regulation of international transfers of personal data than might appear.
The UK continues to engage with the EU despite Brexit
Differences remain between the EU’s gold standard and the UK’s search for an alternative but “essentially equivalent” path. Behind the political rhetoric of the UK pursuing its independent goal, it is clear that John Edwards, the UK’s new Information Commissioner is doing his utmost to forge a working relationship with his EU counterparts. His experience of having previously been New Zealand’s Privacy Commissioner and Chair of the Global Privacy Assembly means that he takes a dispassionate position on Brexit which he described in his speech in Brussels last month as a “painful divorce.” He declared that he would work to ensure cooperation and mutual respect to provide win-win outcomes. He and his staff have worked with officials and ministers “to ensure that all that is good about the GDPR is not traded away for hypothetical gains.” He aims to take faster decisions and avoid unnecessary divergence in approach.
He regrets that the ICO no longer has a seat at the European Data Protection Board and called for a way they could still work together. He aims to achieve a memorandum of understanding with national DPAs in Europe in a similar way that the ICO has with Australia, New Zealand and Singapore.
Perhaps he will suggest building on the practice of the EDPB inviting DPAs not in the European Economic Area to attend meetings when their presence is relevant and helpful to discuss specific subjects. As the UK has such a well resourced staffed and funded regulator, there could be a non-voting role for the ICO in many of the EDPB’s meetings and working groups.
Edwards has set the goal of a collective approach to international data flows. In a break with previous ICO orthodoxy, he described Standard Contractual Clauses and Binding Corporate Rules as “expensive proxies” and individualised adequacy determinations, and accreditation programmes like APEC’s Cross-Border Privacy Rules (CBPRs) imposing “significant costs on industry and governments” and providing “dubious benefits to those they are intended to protect.”
International transfers in other forums
The Global Privacy Assembly is conducting a mapping exercise between different data transfer systems, such as EU Binding Corporate Rules and the US-backed Global CBPRs.
Despite the weaknesses of CBPRs analysed by Professor Graham Greenleaf, he argued at the CPDP Conference in Brussels last month for a system more manageable than the current one. Bilateral recognitions of adequacy or white lists become too cumbersome as 130 countries have data export rules, he explained.
Ulrich Kelber, Germany’s Federal Data Protection and Information Commissioner, announced at the same conference that Germany’s Presidency of the G7 major industrial countries is continuing the work initiated by the UK’s ICO on the G7 Roadmap for cooperation on Data Free Flow with Trust. This programme has identified four areas of cooperation: data localisation, regulatory cooperation, government access to data, and data sharing for priority sectors. Data protection is mentioned in this work programme in a reference that the G7 will continue to “address challenges related to privacy, data protection, intellectual property rights, and security.” This document also refers to comparable work done by other forums, such as the OECD.
While one can recognise the high costs of conducting traditional EU-style adequacy assessments, the problem with this seemingly solid G7 programme is that trust is a rather nebulous concept. There would have to be considerable networking among the parties to reach a consensus on what trust means in practical terms. How long would it take to achieve agreement on which countries should be on a common white list for free international transfers? In short, how does one measure “trust”?
The European Commission does not work in isolation on international transfers. It exchanges ideas with the business community, for example in providing scenarios on how to apply its new Standard Contractual Clauses.
It is also not alone in negotiating international transfer agreements. Both the European Commission and the UK government’s DCMS International Data Transfer Team have visited Washington DC and Latin America in recent months in pursuit of acceptable data transfer arrangements which would withstand scrutiny by fair-minded critics. The UK is demonstrating its aim to act independently by making a visit and giving priority to Colombia in Latin America, as one of the countries in the region with a data protection law, since 2008, and a Data Protection Authority but not recognised as adequate by the European Commission.
While the European Commission has a common approach when negotiating with candidate countries, the UK government is showing its flexibility and business friendly pragmatism by conducting discussions with a sub-state entity, such as the Dubai International Finance Centre. The UK government is also taking a narrow approach to the goal of an arrangement with the US and focusing on a sector, such as securities, where a formal Memorandum of Understanding between the ICO and the Securities and Exchange Commission already exists. The US has some new state laws but it does not have a comprehensive privacy law. Once again there some signs of movement in this direction in the US Congress but I have seen many such starts in the last 20+ years and none have progressed far.
Registering for this conference will enable you to hear directly, and meet speakers, from many entities mentioned here, such as the European Commission, the European Data Protection Board, the ICO, the UK government’s DCMS - and DPAs from France, Belgium, Switzerland, Singapore and Japan and many others - from 14 countries altogether.
- Dates: 4-6th July 2022
- In-person and online
- St. John’s College, Cambridge, UK
We look forward to meeting you there.
Publisher, Privacy Laws & Business