*This article was first published by Law360 on January 3, 2022.
A recent discussion with Elizabeth Denham and Claudia Berg of the U.K. Information Commissioner’s Office provided ample food for thought on the direction in which data protection regulation both in the U.K. and internationally is headed, including key trends to watch for in data protection.
On 7 October 2021, the Information Commissioner’s Office (“ICO”), published its response to the UK government’s consultation entitled “Data: A new direction”. The consultation which sets out the proposals of the Department for Digital, Culture Media & Sport (“DCMS”) promised far-reaching reforms to the UK data protection regime with an emphasis on capturing the power of data to drive economic growth and innovation. The DCMS’s proposals posed a significant moment for UK data protection law and as such Sidley was pleased to host a Chatham House Rule discussion about this important consultation on 15 September 2021 with Joe Jones, Deputy Director, International Data Transfers at the DCMS. We hope that interested readers may have attended our discussion with Deputy Director Jones. (more…)
On August 26, 2021, the UK Government’s Department for Digital, Culture, Media and Sport (DCMS) published its mission statement setting out the UK approach to adequacy assessments and international data transfers, alongside a Manual Template and Manual Guidance for undertaking adequacy assessments and an infographic map illustrating ten priority countries forming part of that process. This release forms part of a broader package of measures announced by DCMS to “seize the opportunities of data to boost growth, trade and improve its public services” following the UK’s exit from the EU, which included an announcement that John Edwards (the current New Zealand Privacy Commissioner) is the Government’s preferred nominee to be the next UK Information Commissioner. (more…)
On 11 August 2021, the UK Information Commissioner’s Office (ICO) launched a public consultation on its draft international data transfer agreement and guidance (Consultation). The Consultation comes two months after the European Commission’s adoption of new EU Standard Contractual Clauses (EU SCCs) and the European Data Protection Board’s publication of the final Schrems II guidance. The EU SCCs do not automatically apply in the UK since its exit from the EU. Moreover, the ICO has not yet formally acknowledged the EU SCCs, i.e., as a valid data transfer mechanism under the UK GDPR.
On 28 June 2021, the European Commission announced that it has adopted two adequacy decisions for the UK, one under the General Data Protection Regulation (GDPR) and one under the Data Protection Directive with Respect to Law Enforcement (Law Enforcement Directive) (Adequacy Decisions). The announcement comes just two days before the bridging period for data transfers between the EU and the UK was set to expire. In its assessment, the European Commission has determined the UK’s data protection laws are “essentially equivalent” to the data protection laws ensured within the EU. As a result of the Adequacy Decisions, personal data can continue to freely flow between the EU to the UK without the need for a data transfer safeguard (e.g., Standard Contractual Clauses or SCCs) in place. This announcement comes as very welcome news to many organisations transferring data between the EU and the UK.
On 13 April 2021, the European Data Protection Board (EDPB) adopted two Opinions on the draft UK adequacy decisions: (i) Opinion 14/2021 for transfers of personal data under the EU General Data Protection Regulation (EU GDPR); and (ii) Opinion 15/2021 for transfers of personal data under the Law Enforcement Directive (LED).
On February 19, 2021, the European Commission (EC) published two draft implementing decisions to enable the continuing free-flow of personal data from the EU to the UK (the Draft Adequacy Decisions) i.e., post-Brexit: (i) for transfers of personal data under the EU General Data Protection Regulation (EU GDPR); and (ii) for transfers of personal data under the Law Enforcement Directive (LED). This will come as a huge relief to companies across all industries who are in parallel already grappling with the repercussions of Schrems II. In fact, the Draft Adequacy Decisions (which collectively run to almost 140 pages) are the first of their kind in a post-Schrems II world and will likely be closely reviewed—including by privacy advocate Max Schrems who has promised his Twitter followers to “take a look at” the Draft Adequacy Decisions in particular with regard to the LED (i.e., which addresses UK government surveillance activities).