ICO publishes its first ever international strategy

July 20, 2017

By Samantha Sayer

By Dennis Holmes

On 4 July 2017, the UK Information Commissioner’s Office (ICO) published its first ever International Strategy for 2017-2021. The strategy is a clear indication by the ICO that it intends to continue to invest in the protection of individuals’ personal data globally. In addition, it is clear that despite Brexit, the ICO is intent on continuing to be a leading privacy regulator globally. Given the changing times we are operating in, the ICO has also confirmed that the strategy will be regularly reviewed and amended in response to inevitable changes in a post-Brexit world, but as a start it has highlighted some initial key challenges to focus on and its key priorities for overcoming these challenges.

ICO’s key challenges

The ICO has identified the following four key challenges it faces:

  1. Challenge 1 – To operate as an effective and influential data protection authority at European level while the UK remains a member of the EU and when the UK has left the EU, or during any transition period.
  2. Challenge 2 – Maximising the ICO’s relevance and delivery against its objectives in an increasingly globalised world with rapid growth of online technologies.
  3. Challenge 3 – Ensuring that UK data protection law and practice is a benchmark for high global standards.
  4. Challenge 4 – Addressing the uncertainty of the legal protections for international data flows to and from the EU, and beyond, including adequacy.

In addition to setting out the challenges above, the strategy also indicates the ICO’s priorities for addressing these challenges which are summarised as follows:

Challenge 1 Priorities:

  • To provide expert advice to the UK Government;
  • To continue to strongly engage with the Article 29 Working Party and the European Data Protection Board once it is formed;
  • To continue to engage with other European data protection authorities and the Council of Europe, to seek to engage with specialist EU working groups and where appropriate to maintain a dialogue with Members of the European Parliament.

Challenge 2 Priorities:

  • To continue to invest in international relationships with existing privacy networks, to explore engaging in new networks and to develop new networks to address these strategic priorities;
  • To continue to play a leading role in effective international enforcement co-operation mechanisms to contribute towards better enforcement of data protection compliance in the UK;
  • To explore new links with international bodies and regulatory networks not necessarily in the data protection area but which influence global standards affecting data protection;
  • To share information and knowledge with other independent bodies responsible for enforcing and promoting freedom of information laws, including the development of a regular European Information Commissioner’s conference.

Challenge 3 Priorities:

  • To collaborate with the international business community and other stakeholders to support work to turn the GDPR’s accountability principles into a robust but flexible global solution;
  • To continue to participate in international work to promote global data protection standards and the long-term aim of a global data protection and privacy agreement or treaty.

Challenge 4 Priorities:

  • To provide expert advice to the UK Government and Parliament on international data flows;
  • To explore the concept of the UK as a ‘global data protection gateway’ – essentially providing a high standard of data protection law which is interoperable with different legal systems protecting the international flows of personal data;
  • To support the development of new mechanisms to enable international data transfers and better interoperability between the UK’s data protection laws and other systems.

So what does the strategy mean?

The ICO’s strategy re-confirms that the upcoming EU GDPR will be incorporated into UK law, and will remain so after Brexit and the important role this will play in bringing continuity during this transitional period. It also aligns to the recent Queen’s Speech in which it was confirmed that a new UK bill would help the UK maintain its "ability to share data with other EU member states and internationally after we leave the EU”.

The ICO’s strategy also focuses on the importance of maintaining a relationship with the EU, and positioning itself as a leading data protection regulator. To this end, the strategy highlights the importance of maintaining a presence in the Article 29 Working Party and also suggests forming bilateral relationships with individual Member States however, recognising the uncertainty surrounding the UK’s position in the EU and the impact this may have in forging these relationships. While the ICO’s clear desire is to work closely with the EU going forward, it recognises that its continued membership of the Article 29 Working Party is not guaranteed, and it must work proactively and boldly to maintain this leading status.

Arguably, the ICO’s strategy is recognition of the increasing importance of a more international approach, particularly as in the last 20 years data protection has become less confined by international borders, yet the UK Data Protection Act 1998 has not kept pace. Relationship building with the Asia-Pacific region, the continued leadership of the commonwealth ‘Common Thread Group’, and more generally prioritising international engagement on issues related to global privacy risks are identified as specific challenges the ICO intends to address.

The ICO’s International Strategy creates a clear path forward, and welcome certainty for the implementation of the GDPR and beyond. It sets out a clear commitment to forming constructive relationships worldwide and continuing to find effective and pragmatic solutions which protect the individual yet continue to enable organisations to foster innovation. We may be operating in uncertain times, but one thing the ICO is certain about is its international agenda and being a leading voice in this complex digital data processing world.

Samantha Sayers  | Solicitor – Cyber Security and Data Protection | PwC - UK
[email protected] |+44 (0)20 7213 4697

More articles by Samantha Sayers

Dennis Holmes  | US Qualified – Attorney – Cyber Security and Data Protection | PwC - UK
[email protected] |+44 (0)20 7804 2718

More articles by Dennis Holmes