Data protection | UK Regulatory Outlook July 2023

UK efforts to facilitate cross-border flows of data

The UK government sees international data transfers as being central to modern day business transactions; enabling international data flows is also one of the priorities for the Information Commissioner's Office (ICO) in its ICO25 strategy.

It is within that context that the UK has been granted associate status in the Global Cross Border Privacy Rules (CBPR) Forum. While the granting of associate status will not directly lead to any CBPR member country being granted an adequacy decision in the UK, the forum aims to support international data transfers between the member countries by enabling a high level of safeguarding for personal data. The UK's involvement may be seen as a step in the right direction for facilitating less burdensome ex-UK data transfers to those countries, including Australia, Singapore and the US.

Similarly, the UK has this month signed the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), with free-flowing data between CPTPP members being identified by the UK government as one of the top potential benefits. It remains to be seen what this will actually look like in practice, particularly with the CPTPP not expected to come into force until the second half of 2024.

Finally, the ICO has announced that the UK Home Office has concluded that the Bailiwick of Guernsey provides "an adequate level of data protection for law enforcement processing". This will now allow the free flow of personal data for law enforcement purposes between the UK and Guernsey law enforcement authorities, starting from Friday 28 July 2023.

EU Commission proposes new procedural regulation for stronger GDPR enforcement in cross border cases

Earlier this month, the European Commission proposed a new regulation which aims to enhance the efficacy of GDPR enforcement in cross-border cases (that is, when there are complainants located in more than one Member State).

In this proposal, the Commission suggests that, in cross-border cases, concrete procedural rules for the Data Protection Authorities (DPAs) should be set up to strengthen cooperation between them, to reduce disagreements later in the process and to harmonise approaches to enforcement. The procedural rules do not make any changes to the "one-stop-shop" system; rather, they are intended to complement it.

The proposed regulation also establishes how individuals should make a successful complaint as well as defining businesses' due process rights when a DPA investigates a potential breach of the General Data Protection Regulation (GDPR).

The Commission has helpfully released a Q&A page on the proposed regulation.

ICO submits data protection and journalism code of practice

Following feedback from the journalism industry and the wider public, the ICO has published a code of practice regarding the use of personal information for journalism and submitted it to the Secretary of State for the Department of Science, Innovation and Technology for laying before Parliament.

Once the code is laid before Parliament, it must remain before it for 40 sitting days, following which it will come into force 21 days later (if no objections have been made).

The code aims to help journalists understand what data protection law requires from them when they use personal data for journalism.

EDPB adopts guidance on controller-binding corporate rules

At the end of June, the European Data Protection Board adopted recommendations on the elements and principles to be found in Binding Corporate Rule applications by controllers (BCR-C) and published recommendations for the application process.

The recommendation indicates that all controllers who are seeking to implement BCR-Cs, or who have already implemented BCR-Cs, will be expected bring their controller BCR-Cs in line with the requirements set out in the recommendations.