The United Kingdom has been busy in the past couple of weeks starting to chart its independent course on data protection and privacy matters. We should keep in mind, however, that some of the more dramatic announcements about improving the UK’s data protection rules and building cross-border data partnerships have been made by the UK’s Department for Digital, Culture, Media & Sport (DCMS), not the completely independent Information Commissioner’s Office (ICO).
Here’s a quick round-up of the some interesting and important developments.
UK Adequacy Decisions – Let the Data Flow!
Although the UK is no longer required to follow EU data protection laws in lockstep, there will be considerable pressure to stay reasonably aligned with Europe in order to keep the European Commission’s adequacy decision, which allows EU personal data to flow to the UK without barriers. The UK does, however, have some room to maneuver to adopt laws and guidelines that reduce some of the arguable excesses of EU data protection laws (such as the notorious cookies consent rules). The UK can also adopt its own adequacy decisions.
To start with adequacy decisions, the UK’s Department for Digital, Culture, Media & Sport has announced that it will prioritize discussions with the following countries to assess the adequacy of their data protection laws to protect the personal data of UK persons: Australia, Brazil, Colombia, the Dubai International Financial Centre, India, Indonesia, Kenya, the Republic of Korea, Singapore and the USA. If found adequate by the UK, these countries would join the countries that the UK has already approved by virtue of having retained the adequacy decisions issued by the EU Commission prior to Brexit (notably, Canada, Switzerland, Japan, New Zealand, Argentina and Israel, among others).
The object of adequacy decisions is to reduce barriers to personal data transfers and thereby reduce costs to businesses and other organizations that need to share personal data across these borders. Adding the USA would be greatly appreciated by businesses on both sides of the pond, as it reduce some of the still-unresolved uncertainty about data transfers that resulted from the Schrems II decision. It should be noted, however, that onward transfers of EU personal data via the UK probably would not be permitted under the UK adequacy decisions, since that would be an end-run around the EU Commission’s authority.
The UK has made two other significant announcements recently in the data protection area – naming its new Information Commissioner to replace Elizabeth Denham, and publishing a consultation draft of new standard clauses for personal data transfers.
The Commonwealth continues to be a useful talent pool for the UK. Information Commissioner Elizabeth Denham, who was hired from Canada, will be replaced (once confirmed) by John Edwards, New Zealand’s privacy commissioner.
Data transfer clauses consultation
The UK has also published a draft of a new data transfer agreement for organizations to use when transferring personal data out of the UK to a country without an adequacy decision. The draft agreement and information about the consultation is available here. Interestingly, the UK’s draft transfer agreement takes a fresh look at how we might structure a standard data transfer agreement. It does not merely adapt the EU’s recently adopted updated standard contractual clause for transfers. And very importantly, the UK has explicitly asked for comments on the proposition that a transfer to a recipient outside of the UK who is nonetheless subject to the GDPR (under Art. 3(2)) should not be treated as a data transfer at all. This affects a large number of non-UK companies since it would apply to data processing in connection with offering goods or services to people in the UK, or monitoring their behavior (primarily, automatic online tracking of website and app users). There’s a certain logic to the UK’s proposal, but unfortunately, little support in the GDPR or the published guidance to date from the European Data Protection Board. Going down that path would be a significant divergence from the current EU approach.
If you have any questions or concerns, please contact the Mintz Privacy & Cybersecurity team or your usual Mintz contact.