Privacy & Information Security Law Blog

On May 23, 2023, the UK Information Commissioner, John Edwards, delivered the opening remarks at the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE”). The Commissioner opened his speech by stating his “principal reason” for being present was to provide “reassurance” that he takes his “responsibility of protecting Europeans data in the United Kingdom very seriously” and “will continue to do so through the process of law reform, and beyond.” The Commissioner went on to discuss several points, including the following:

• The principles which underpin the GDPR are “shared values” with the UK.
• The UK and EU must work together, alongside industry, to “ensure the people of the United Kingdom, and of Europe enjoy a high standard of privacy and data protection.” As the UK is no longer a part of the European Data Protection Board (“EDPB”), the Commissioner would like to see the “[European] Commission and EDPB use the tools under Article 50 GDPR to facilitate cooperation formally with third country data protection authorities.”
• With regard to enforcement, the Commissioner considers that “fines are not the only expression of enforcement and arguably often not the most effective” and that in his view, “enforcement involves a range of regulatory responses to non-compliance,” referencing warnings and reprimands. The Commissioner however acknowledged that financial penalties “have their place,” particularly when an organization has profited from non-compliance and put individuals’ data at risk by doing so.
• On the UK’s Data Protection and Digital Information Bill, the Commissioner states that the Bill amends the existing framework but does not replace the GDPR, with the “foundations” remaining the same. Specifically in relation to the UK Information Commissioner’s Office (“ICO”), the governance changes will mean greater diversity at senior levels, and increased accountability to the UK Parliament and the public. The Commissioner also discussed the ability of the Secretary of State under the Bill to set “strategic objectives” for the ICO; the Commissioner confirmed these will not amount to a “material difference to the independence of the ICO” and will not create an opportunity for government to “interfere” with or “influence” the activities of the ICO.
• Also, with regard to the Bill, following discussions between the Commissioner and UK government, it is agreed that the Secretary of State will have the power to approve or reject guidance from the ICO to the extent it applies to the “most significant matters requiring a statutory code.”
• With regard to the UK’s adequacy decision from the EU, in the Commissioner’s view, “nothing in the Bill will jeopardize that position.”