Jun 272016

Amid news of Brexit, UK ICO seeks to provide reassurance

William RM Long, Alan Charles Raul and Cameron F. Kerry
, , , , , ,

As the world began to grapple with the implications of the UK’s vote to withdraw from the European Union, or “Brexit,” the UK Information Commissioner has sought to provide reassurance, issuing a statement reinforcing continuity of data protection principles and a commitment to the digital economy.

Because the UK’s Data Protection Act was adopted to be consistent with the current EU Data Protection Directive, EU-type data privacy principles will certainly continue to apply, with perhaps a greater dose of British common sense.  That means that data flows from the UK to the US will likely still need to be authorized under future UK-versions of “model contracts” or binding corporate rules.  The US and UK may even agree to a data transfer agreement modeled on the forthcoming Privacy Shield.  While there could be policy support on both US and UK sides for a US-UK framework that is less onerous than the highly rigorous new Privacy Shield, the UK will likely have an incentive to demonstrate to the EU that the data flows it receives from EU Member States will not be onward transferred to the US pursuant to less stringent terms.  Indeed, the UK Information Commissioner’s Office statement has already indicated that the UK may seek an “adequacy” determination from the EU under the new General Data Protection Regime.

For companies that have obtained approval for BCRs with the UK ICO as the lead EU data protection authority, or are in the process of doing so, there will need to be some sort of transition process that will inevitably be complicated. The UK may strive for status that is similar to that of Switzerland on data protection matters – namely, maintaining a parallel regime to that of the EU. In short, the unwinding and re-winding of UK data transfers to and from the EU and EEA countries, and to the US, will be pretty confusing for a while before it stabilizes.  It also seems possible, however, that the EU will not take Brexit as an impetus to double-down on unduly prescriptive privacy regulations, such as the 72 hour-breach notice requirement. Somehow the EU needs to make good on its commitment to promote Europe’s own digital economy and the loss of the UK may help focus the mind. Perhaps the silver lining will be a move towards greater international convergence on regulatory policy, and more reasonable harmonization on privacy.

Of course, it would be even safer to predict that there will be highly unpredictable impacts on data protection as well as everything else affected by Brexit.

William RM Long

London

wlong@sidley.com

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

Cameron F. Kerry

ckerry@sidley.com

You might also like
UK GDPR Reform Is Back! Department of Science, Innovation and Technology Introduces New Data Protection and Digital Information Bill

On 8 March 2023, the newly created Department of Science, Innovation and Technology (“DSIT”) introduced the Data Protection and Digital Information (No. 2) Bill. The “Bill” is in substance a re-introduction of the previous Data Protection and Digital Information Bill which was withdrawn from Parliament on the same day as the new Bill was published. The Bill, which has been hailed by the UK Government as one that will “save billions” and “cut down pointless paperwork” is the UK’s latest attempt to create a more streamlined piece of data protection legislation for the UK whilst still “ensur[ing] data adequacy.” The Information Commissioner’s Office (“ICO”) also welcomed the re-introduction of the Bill, with the Commissioner stating that he would “support [the Bill’s] ambition.” While much of the Bill remains the same as its previous iteration, we set out the key provisions and notable amendments below.

UK’s New Pro-innovation Approach to Regulating Digital Technologies

On 15 March 2023, the UK Government published, alongside its Spring Budget, a report on the Pro-innovation Regulation of Technologies Review (the “Report”). The Report was led by the government’s Chief Scientific Advisor and National Technology Officer, Sir Patrick Vallance, who was tasked with “bringing together the best minds to advise how the UK can better regulate emerging technologies, enabling their rapid and safe introduction.” In response, the UK Government has accepted all of the Report’s recommendations, and set out some next steps for their implementation.

Substantial Changes to Hong Kong’s Privacy Laws Coming

In a briefing to the Legislative Council (Hong Kong’s legislative body) on February 20, 2023, the Privacy Commissioner (“the Commissioner”) announced that substantive amendments to the Personal Data (Privacy) Ordinance (“PDPO”) will take place.