The UK’s accelerating international engagement
While the UK’s departure from the European Union, the Single Market and the Customs Union signalled a hard Brexit, all the signs are that, from the data protection perspective, the UK Information Commissioner’s Office is actively engaged with both the European Commission and Data Protection Authorities in Europe and around the world.
From the start, the ICO was neutral as an institution in the Brexit referendum. But the previous Commissioner, Elizabeth Denham, did everything possible to ensure that personal contacts with, and bridges to, the European Commission and the European Data Protection Board would remain in place.
The new Commissioner, John Edwards has started his term this year with Brexit completed. As the former Privacy Commissioner in New Zealand, and formerly a member of the Global Privacy Assembly’s Executive Committee, he comes to his UK role with many international contacts so the office cannot be considered to have an isolationist UK perspective.
We have learned from our recent webinars, such as Helping young people to better protect their privacy and safety online that there are continuing discussions between DPAs on matters of common interest because most privacy issues indeed impact the majority of countries. For example, there is common ground between the UK and the Irish guidance on children’s issues. The main difference is that the UK code has a statutory basis whereas the Irish guidelines do not.
The ICO is fortunate to be probably the world’s best resourced and staffed DPA and it co-operates widely. It willingly shares its experience and expertise, for example on its sandbox, with others, such as the DPAs in France, Norway and most recently the Estonian DPA which is now working on a sandbox for Artificial Intelligence.
There is no doubt that the UK’s ICO can now act without needing to co-ordinate with others to achieve EU-wide consensus. This was the message given to me by John Edwards when I asked him whether the DCMS’s reform of the UK’s data protection law is dealing with real problems with the current law. While Edwards did not want to be drawn into this political area, he responded: “Is the GDPR perfect? If not, there is room for reform.”.
There is also room for a harmonised approach. It is clear that the ICO’s UK Standard Contractual Clauses are closely harmonised with the EU model on the understanding that all types of business want consistency in regulation across Europe, regardless of Brexit separatist rhetoric.
The ICO Team has told me in recent weeks that they are active in international dialogue in several ways. Chris Taylor, Head of Assurance, cooperates with other DPAs and keeps himself well-informed on decisions of the European Data Protection Board on Codes of Conduct. John Edwards and Stephen Bonner, Executive Director, Regulatory Futures and Innovation, last month visited Washington DC and had meetings with the Federal Trade Commission and US Senators who are seeking to introduce new children’s privacy legislation into Congress. The ICO actively engages with the largest tech companies, despite enforcement action when necessary. Bonner last month publicly praised Google for its cooperation on cookies.
The UK government’s international outreach
The UK government has a team negotiating International Data Transfer Agreements with the target of 10 countries by the end of this year. The government is steering a narrow course between exercising its post-Brexit freedom to act independently and not endangering its adequacy agreement with the EU. I expect that those countries on the list with current EU adequacy agreements, such as Canada, Japan, Israel and New Zealand will be relatively easy to negotiate because one cannot imagine the UK taking a stricter line than the EU. Others, such as the US and Singapore will be much tougher as these countries’ privacy law regimes are very different from the European norm. Having said that, the countries with adequacy agreements are very different from each other. None are a “copy and paste” of the EU model. The UK government team is fully aware that they must review both law and practice and that their methodology will be open to legal challenge.
I asked Vince Weaver, the UK government’s Head of Governance for International Data Transfers, whether his team always bears in mind the risk to the UK’s EU adequacy status? He assured me that they do and are in frequent discussion with the European Commission to keep them up to date and avoid surprises when these 10 agreements will be announced by the end of this year.
The first 10 countries’ agreements will be announced one at a time when they are reached. I asked Weaver whether Switzerland might be on the list, as it has an EU adequacy declaration and like the UK, is in Europe but not in the European Economic Area. It would surely be an easier decision to reach than one for the US. Weaver simply replied that Switzerland is not yet on the list.
PL&B events in May and July
Several issues in the May edition of PL&B UK Report and this letter will be covered at the following PL&B events:
- Date: 18 May 2022
- Host: Latham & Watkins,
- An event to help you negotiate with the DPAs in France, Germany, Ireland and Spain
- Date: 25 May 2022
- Host: Norton Rose Fulbright, London
- A Roundtable to enable companies and their advisors, to provide feedback and constructive comments to Julia Lopez, DCMS Minister, on the government’s proposals to reform UK data protection legislation.
Winds of Change, PL&B’s 35th Anniversary International Conference
- Dates: 4-6th July 2022
- In-person and online
- St. John’s College, Cambridge, UK
We look forward to meeting you at these events.
Publisher, Privacy Laws & Business