UK-EU convergence in the face of adversity

Sentiment in the UK in favour of a closer relationship with the EU is growing, according to surveys. The Labour government is cautiously leading the way pursuing discussions with the European Commission on a growing list of subjects on which there is a measure of consensus where a win-win can most likely be achieved. The most visible areas are a youth mobility visa scheme, veterinary standards, and reduction of some border checks. All of these areas of cooperation are being achieved without recourse to tribal pro and anti-EU rhetoric.

According to Politico, in a draft document prepared for a 19 May UK-EU summit to be hosted in London, there are plans to emphasise the common interests between the two sides in the face of language critical of the EU (including the GDPR) by the US Trump administration – see my March blog. So the draft for the 19 May summit has expansive language, such as a commitment to “free and open trade” bringing the two sides together in the common cause of clearly defying the US president’s tariff agenda.

UK government’s support for the ECHR

While no-one would claim that data protection law lies at the core of these discussions, there is expected to be a commitment by both parties to “multilateralism” — including support for the United Nations Charter, the European Convention on Human Rights (ECHR), and other international agreements. Although some UK politicians, including the Reform Party, and some Conservative Members of Parliament, say they want to leave the ECHR, I detect public weariness, a consensus that this is yesterday’s battle.

The Brexit referendum was nearly nine years ago, on 23 June 2016, (in which 51.89% voted in favour of leaving the EU and 48.11% voted to remain). The projected economic gains have failed to materialise. So now, many people who formerly supported Brexit say in opinion polls that it is time to move onto other issues, in particular, loosening the time-consuming and expensive bureaucracy associated with trade between the UK and the European Economic Area.

The positive “mood music” for the EU’s adequacy review of the UK’s law

So while this summit on 19 May may have little to do with data protection law, it helps set the scene and the positive “mood music” for the EU’s adequacy review, with its new deadline postponed from June to December this year. As one of the criteria for the review is the overall legal framework, the UK’s adherence to the ECHR provides a comfortable familiar legal basis on which the details of the new law will be considered.

To avoid surprises when the Data (Use and Access) Bill (DUAB) is enacted, the UK’s data protection reform team in the Department of Science, Innovation and Technology makes efforts to keep their counterparts in Brussels well informed as the Bill makes its steady progress through the Parliamentary process. With the government’s large majority in Parliament, and no general election to disturb the Bill’s timetable, the DSIT team expect the bill to transition into the Data (Use and Access) Act 2025 in June.

Timetable for The Data (Use and Access) Act 2025

The timetable for the new law’s entry into force is likely to follow the convention that substantive provisions should not be commenced for at least two months after Royal Assent, the point at which the Bill is formally enacted. It is then likely that the government will give organisations longer (for example six months after Royal Assent) to prepare before commencement of the main data protection measures. The exact date will then be specified in commencement regulations made by Ministers.

The first UK GDPR Code of Conduct approved by the ICO

The UK’s ICO is undoubtedly a well resourced and active regulator. As well as its relatively new mission of helping economic growth, the ICO retains its traditional mission to encourage good practice. So last October it approved its first Code of Conduct, which was developed by the Association of British Investigators. We explain in this edition how codes work and share the experience of the team drafting and advising on it in the negotiations with the ICO.

There are critics of the ICO’s fining policy but it would take a major shift by the new Information Commission to follow the practice of Spain’s AEPD (DPA) and move from a few relatively large fines to imposing many low level fines.

The Good, the Bad and the Good Enough, PL&B's 38th International Conference in Cambridge 7-9 July

Conference sessions feature 60+ speakers from 18 countries. While the highest standard of compliance is an ambitious target, most regulators might well be pleased if they could encourage businesses and the public sector in their countries to reach the “good enough” standard.

Sessions cover a wide range of subjects. I work with all session leaders to provide you with value added sessions based on both the law and company experience. You can see the conference themes, the speakers and all the sessions in the conference programme published today.

You are welcome to be a speaker in the Debate at the Cambridge Union for or against the motion: This House believes the concept of “special category data” needs reforming. So e-mail me if you would like to contribute in this way.

We look forward to receiving your registration, responding to your questions, and meeting you in Cambridge in just over two months from now.

Best regards,

Stewart Dresner
Publisher, Privacy Laws & Business

May 2025