UK ambitious alignment with EU GDPR in sight?

The several days of debate in the House of Lords in April on the Data Protection and Digital Information (DPDI) Bill showed a more detailed scrutiny of the Bill there than in the House of Commons.

There is consensus on the UK’s ambition to become a global centre for data-driven innovation which lays the ground for a more flexible approach to safeguarding individual rights. As always, the legislature has to strike a balance in principle and the regulator then has to make it work in practice.

Some of the main points on which the Lords pressed the government include research provisions, the legitimate interest list, data exchanges and purpose limitation, Smart Data initiatives, international data transfers and automated decision-making.

International data transfers

But international data transfers is the issue that is of most concern to many businesses. Is there a risk that the divergence from the EU GDPR represented by the UK’s DPDI will mean that the UK might lose its adequacy status? DSIT Minister Michelle Donelan has made it clear that efforts must be taken by her policy team to ensure that the UK retains its EU adequacy status.

Aware of the government’s potential interest in compromise, close scrutiny of the text of the DPDI Bill has encouraged some of the Lords to submit amendments on various points including on international transfers.

Fortunately, on their side the European Commission and the European Data Protection Board (EDPB) are already showing signs of compromise in international transfers. Not merely to reach across the Channel to the UK but to reach across the world.

The clearest sign of this move towards flexibility regarding the wider world was the European Commission’s statement on 4 March when announcing the High Level Meeting on Safe Data flows, as I reported last month.(1)

While this event was described as private, I have managed to gain access, using the right of access to public documents, to the speaking notes for this event for Anu Talus, the Chair of the EDPB.

These notes show recognition that there is a need and a wish by the 30 European Economic Area DPAs to expand the European Commission’s ambitions for legal transfers of personal data. They would like to go beyond the 15 countries/jurisdictions already approved following the current “gold standard” approach.

Maximising safe data flows as a network

The highlights of Anu Talus’s presentation at the 4th March event in Brussels included:

  • “At EDPB, we believe there is a need to further develop and multiply adequacy decisions between the EU and third countries”
  • The EDPB has encouraged “the development of GDPR codes of conduct and certification as a tool for transfers.”
  • “Standard contractual clauses are another practical tool for businesses, and we also welcome the fact that several countries, international and regional organisations are increasingly developing model clauses”
  • “There is also the work of the Global Privacy Assembly (GPA) Global Framework and Standards Working Group, including the comparative analysis of contractual clauses for transfers.”

Talus made a clear call for the benefits of the Brussels network effect: “Overall, convergence among data protection frameworks and transfer tools around the world is the key to facilitate interoperability. And there is a momentum for us to join forces. I believe our network could have a positive effect on other countries globally, to show that trust and a high standard of protection of personal data are the enabler of global convergence of transfer tools.”

The route to greater convergence

The notes continued listing some policy objectives:

  • “We could aim at closer cooperation on codes of conduct and certification, when such tools are in our respective legal frameworks.
  • We could start exploring how to achieve greater convergence between the [EU’s] Standard Contractual Clauses and other model clauses from frameworks providing an adequate level of protection…
  • “We could also use this network as a platform to keep each other updated on relevant developments relating to adequacy decisions or on legislative developments in our countries.”

She listed specific initiatives: “We could convene during existing international meetings, such as in the context of the GPA…This could include GPA resolutions, thereby having an effect on other third countries and networks.”

Her final point is a way for the UK’s ICO, for example, to achieve closer engagement with its EEA counterparts. The notes conclude: “Finally, the EDPB would also be happy to welcome, occasionally, representatives of adequate countries to the EDPB plenaries, to exchange on topics of common interest.”

The mood in the UK, even in the government, is clearly shifting. Such a closer engagement between the UK and the EU should be a win for both sides.

I recognise that privacy advocates and business interests will not be completely satisfied by the final version of the DPDI Bill. But with goodwill on both sides, I think that alignment between the UK and EU on data protection law should be achievable.

Several sessions at Valuable Data, Priceless Privacy, PL&B’s 37th International Conference specifically address these themes from UK, EU and wider international perspectives. We look forward to meeting you there.

Best regards,

Stewart Dresner
Publisher, Privacy Laws & Business

  1. April 2024 Blog - EU adequacy decisions lead “the Brussels effect”

May 2024

News & Blogs

May 2024 Report Contents