Brexit isolationist rhetoric gradually slipping away
Brexit was never a matter of emotion in the UK’s data protection community. In my experience, it was more of a matter of “let’s see what we can do to make it work” in this political environment.
Companies tell me that they remain frustrated faced by diverging EU and UK data protection legislation. One regulatory framework across Europe would be far more preferable to keep data protection law standards up and compliance costs down.
It is this drive to “just make it work” which was the underlying theme behind the Binding Corporate Rules Workshop which PL&B held in association with, and hosted by, law firm, Hogan Lovells, in London on 12 December.
The government policy and data protection regulator speakers explained to in-house company lawyers and law firm lawyers how BCRs are developing both in the UK and at EU level. As companies aim for harmonisation, or at least mutual recognition, the group proposed ideas to present to the European Data Protection Board (EDPB) which was seeking comments on their draft. It was clear that despite identical starting points, the two sides are gradually diverging but not yet to a point where convergence is impossible. The UK and EU BCR documents and approaches still have much in common and the differences are more of style and administrative approach than substance.
The resulting memo submitted on 10 January, provided the EDPB, the European Commission, the UK government, the ICO and Ireland’s Data Protection Commission with our constructive principled recommendations to encourage a common approach to BCRs.
Keeping well away from Brexit isolationist rhetoric, the government’s policy staff continue to try to smooth the way for ministers in keeping channels open to Brussels, forged through years of close cooperation.
Meanwhile, the ICO adjusted its regulatory practice to the new political reality. Regulating direct marketing by email has to be easier for one jurisdiction than trying to find consensus among 30 European Economic Area Member States. The same applies to enforcement action. Publishing ICO’s reprimands stopping short of financial sanctions makes sense as part the ICO’s educational role.
UK Adequacy assessments
I expect that the UK’s aim is now, after substantial efforts from the DCMS, to achieve in 2023 its target of declaring 10 countries/jurisdictions “adequate” after failing to meet this target by the end of December 2022. It may do so by adopting a more relaxed view than the EU of the criteria for “adequacy” of third countries.
Revised Data Protection and Digital Information Bill 2023?
There has been much delay in bringing back the UK’s Data Protection and Digital Information Bill to Parliament after it was withdrawn in September. Bringing it back “soon” is proving to be an elastic concept. As the months tick by, everyone is settling back to working within the current UK Data Protection Act 2018, still closely modelled on the EU GDPR. The UK government’s policy is to get rid of EU-based regulation, as it does not have to fear a Schrems-style appeal to the Court of Justice of the European Union. The previous government of Prime Minister Boris Johnson promised to throw out around 4,000 EU-based laws. Will the current data protection law join this list? As the current government, headed by Rishi Sunak, seems to be more pragmatic than ideological, reflecting a realisation of Brexit-related consequences, it might yet change this policy and leave UK data protection law much the same.
Building public trust
Data Protection Officers should be in the front line helping their organisations build and retain public trust in their privacy policies. Although most users of online services are actively or passively giving up their personal data to secure valued services, the trend towards public trust is more likely to grow if organisations commit to transparency, user control and openness to public scrutiny. This trend can be a conundrum for DPOs. Admitting data weaknesses is always difficult for any organisation, understandably reluctant to damage short-term commercial goals.
Save the dates for Who’s Watching Me? PL&B’s 36th International Conference 3-5 July 2023 at St. John’s College, Cambridge. Look out at the end of this month for our announcement of the themes, speakers and their sessions. We were pleased to receive a record number of speaking offers, showing a growing enthusiasm and commercial need to explore tensions between privacy values and data as a business asset.
Publisher, Privacy Laws & Business