Data protection | UK Regulatory Outlook July 2023
Published on 26th Jul 2023
UK efforts to facilitate cross-border flows of data | EU Commission proposes new procedural regulation for stronger GDPR enforcement in cross border cases | ICO submits data protection and journalism code of practice
UK efforts to facilitate cross-border flows of data
The UK government sees international data transfers as being central to modern day business transactions; enabling international data flows is also one of the priorities for the Information Commissioner's Office (ICO) in its ICO25 strategy.
It is within that context that the UK has been granted associate status in the Global Cross Border Privacy Rules (CBPR) Forum. While the granting of associate status will not directly lead to any CBPR member country being granted an adequacy decision in the UK, the forum aims to support international data transfers between the member countries by enabling a high level of safeguarding for personal data. The UK's involvement may be seen as a step in the right direction for facilitating less burdensome ex-UK data transfers to those countries, including Australia, Singapore and the US.
Similarly, the UK has this month signed the Comprehensive and Progressive Agreement for Trans-Pacific Partnership (CPTPP), with free-flowing data between CPTPP members being identified by the UK government as one of the top potential benefits. It remains to be seen what this will actually look like in practice, particularly with the CPTPP not expected to come into force until the second half of 2024.
Finally, the ICO has announced that the UK Home Office has concluded that the Bailiwick of Guernsey provides "an adequate level of data protection for law enforcement processing". This will now allow the free flow of personal data for law enforcement purposes between the UK and Guernsey law enforcement authorities, starting from Friday 28 July 2023.
EU Commission proposes new procedural regulation for stronger GDPR enforcement in cross border cases
Earlier this month, the European Commission proposed a new regulation which aims to enhance the efficacy of GDPR enforcement in cross-border cases (that is, when there are complainants located in more than one Member State).
In this proposal, the Commission suggests that, in cross-border cases, concrete procedural rules for the Data Protection Authorities (DPAs) should be set up to strengthen cooperation between them, to reduce disagreements later in the process and to harmonise approaches to enforcement. The procedural rules do not make any changes to the "one-stop-shop" system; rather, they are intended to complement it.
The proposed regulation also establishes how individuals should make a successful complaint as well as defining businesses' due process rights when a DPA investigates a potential breach of the General Data Protection Regulation (GDPR).
The Commission has helpfully released a Q&A page on the proposed regulation.
ICO submits data protection and journalism code of practice
Following feedback from the journalism industry and the wider public, the ICO has published a code of practice regarding the use of personal information for journalism and submitted it to the Secretary of State for the Department of Science, Innovation and Technology for laying before Parliament.
Once the code is laid before Parliament, it must remain before it for 40 sitting days, following which it will come into force 21 days later (if no objections have been made).
The code aims to help journalists understand what data protection law requires from them when they use personal data for journalism.
EDPB adopts guidance on controller-binding corporate rules
At the end of June, the European Data Protection Board adopted recommendations on the elements and principles to be found in Binding Corporate Rule applications by controllers (BCR-C) and published recommendations for the application process.
The recommendation indicates that all controllers who are seeking to implement BCR-Cs, or who have already implemented BCR-Cs, will be expected bring their controller BCR-Cs in line with the requirements set out in the recommendations.
Call to action
It is official: the European Commission has finally voted to adopt its adequacy decision for the EU-US Data Privacy Framework (DPF).
We have published a detailed insight on the DPF – which you can read here – but there are a few short-term actions you should take in light of the DPF. These include (1) (for US data importers) consider certifying under the DPF, or (for data exporters) ask your US data importers if they intend to certify under the DPF, (2) consider the implications for your contracts of self-certification to the DPF (whether you are an exporter or US data importer) and (3) consider whether you need to revisit any of your Transfer Impact Assessments or Data Protection Impact Assessments which relate to or involve data transfers to the US, irrespective of whether your US data importer intends to certify under the DPF (because some of the safeguards now provided under US law (under EO 14068) also apply where the EU Standard Contractual Clauses are used instead).
Note that the DPF cannot be used to legitimise transfers of personal data which are subject to the UK GDPR, though we are anticipating further developments on the UK-US data bridge shortly.