A speech by non-executive director Peter Hustinx, delivered at the Cross-Border Data Protection Network event on data protection and transnational cooperation in the post-Brexit era.
I am delighted to be part of this event.
Data protection and international cooperation have been close to my heart for a very long time.
That is also why I joined the ICO Board as a non-executive director, now almost three years ago – to increase international and regulatory experience at that level and reinforce its international “bridge building” capacity, and I am pleased to say it has been a great ride ever since.
More generally, data protection authorities from across Europe and beyond have been involved in efforts to develop the legal rules and standards that now exist in this field.
That is certainly true for the Council of Europe Convention on Data Protection, the OECD Privacy Guidelines, and the GDPR as the present cornerstone of the EU legal framework.
The ICO and its predecessors have all actively contributed to these efforts, and their results continue to be relevant, also after Brexit. Moreover, in doing so, they also helped provide the basis for regulatory cooperation across borders in data protection.
However, the question is now more relevant than ever before – how this cooperation is developing when it comes to the supervision and enforcement of current rules, especially where big global platforms are involved, or other issues are at stake with a similar large impact.
As a part of its international strategy, the ICO has invested in the development of a global framework for regulatory cooperation in data protection. These efforts have been quite successful and started to bear tangible fruits in recent years.
So let me first briefly explain the main elements of this global framework and then consider what this might imply for today’s subject – which essentially involves the scope for regulatory cooperation across borders at a more regional scale or in bilateral settings.
Data protection authorities from Europe and elsewhere have been meeting each other at annual conferences, both in Europe and other parts of the world, for many years.
At a global level, this happened in the context of the ‘International Conference of Data Protection and Privacy Commissioners’, now known as the ‘Global Privacy Assembly’ (GPA), with more than 130 members from all over the world.
As Chair of the GPA for a three-year period since 2018, the ICO, and Elizabeth Denham as the Information Commissioner personally, have played a leading role in modernizing this body from a once-a-year conference to a year-round platform for collaboration and action.
The GPA has adopted a clear ambition and strategy, which also involves capacity building in regulatory and enforcement cooperation – that is both regulatory cooperation and practical enforcement cooperation.
One of its permanent working groups – the International Enforcement Cooperation Working Group, co-chaired by the Canadian, UK and US privacy enforcement authorities – is fully engaged in these subjects.
In the US, the competent authority is the Federal Trade Commission – the regulator for privacy related federal laws. Other agencies are established at state level, inter alia in California.
Among the Working Group’s activities are the promotion of ‘safe space’ or ‘closed enforcement sessions’ to examine a variety of emerging digital risks, and the development of useful tools such as an Enforcement Cooperation Handbook and a Repository to document and share professional experience.
In this context, different levels of cooperation must be defined: ranging from quite general – sharing of knowledge and experience with new technologies, such as Artificial Intelligence (AI), or investigations know-how, good practice and techniques – to more specific, such as sharing intelligence and background on data controllers, or case specific information on certain investigations.
Each of these different levels of cooperation has its own specific needs and requires its own conditions and safeguards.
As the DPAs involved in these forms of cooperation are all bound by their own national laws and typically lack a common legally binding framework, different instruments have been developed to overcome these handicaps and to allow regulatory cooperation to go forward where needed.
Since 2014 the GPA has developed a non-binding framework – the Global Cross Border Enforcement Cooperation Arrangement – not an Agreement for which these authorities would not be competent – that provides a common language and a pragmatic approach with sufficient details to create trust and allow an effective cooperation.
So far sixteen authorities have committed to the Arrangement, including authorities from Australia, Canada, Estonia, Germany, Ireland, the Netherlands and the UK. The typical way forward on this basis is that MOUs are used to shape the bilateral relationships between the individual parties as they see fit.
A good example of this approach is the joint investigation opened in July 2020 by the Office of the Australian Information Commissioner and the ICO into the personal information handling practices of Clearview AI – an American facial recognition company that is globally active and describes itself as the ‘World’s Largest Facial Network’.
Clearview’s facial recognition app allows users to upload a photo of an individual’s face and match it to photos collected from the internet. It then links to where the photos appeared. The system is reported to include a database of more than 10 billion images that Clearview claims to have taken or ‘scraped’ from various social media platforms and other websites.
Clearview’s practices have caused controversy in the US and led to critical comments from members of Congress. The Canadian Privacy Commissioner also condemned Clearview’s use of scraped biometric data.
But the Australian and UK DPAs started a joint investigation under the GPA’s Global Cross Border Enforcement Cooperation Arrangement and the MOU between the ICO and the OAIC entered in half a year before.
The two DPAs worked together on the evidence-gathering stage of the investigation. As both DPAs operated under their own country’s legislation, any outcomes were considered separately.
The joint investigation finished only a few months ago. In October the Australian DPA issued a ‘cease and desist’ order against the company and ordered the destruction of all scraped images collected from Australians.
On 29 November, the ICO announced its provisional intent to impose a potential fine of just over £17 million on Clearview AI. In addition, the ICO issued a provisional notice to stop further processing of the personal data of people in the UK and to delete it following alleged serious breaches of the UK’s data protection laws. A final decision in this case is expected by mid-2022.
This is a good example that cross-border enforcement cooperation is about real issues and can make a real difference to protections for the public. It is also increasingly important that DPAs coordinate and speak with one voice when global principles are at stake.
The power and reach of multinational technology platforms over personal data is now unprecedented. Common action will create clearer and more forceful direction towards respect for data protection and privacy.
The Council of Europe Convention on Data Protection – known as Convention 108+ in its modernized form – also provides for the cooperation of supervisory authorities, inter alia by coordinating their investigations or conducting joint actions, and expects them to form a network as well.
These authorities have indeed met annually at a separate conference, but as most of them are also member of the Global Privacy Assembly, there is less need for a more permanent platform like the GPA.
The OECD Privacy Guidelines finally, also touch on the need for cross-border cooperation of privacy enforcement authorities, and the development of international arrangements that promote interoperability among privacy frameworks.
In a recent OECD report, ‘interoperability’ was referred to as the ability of privacy regimes, or legal frameworks, to work together to facilitate transborder data flows while ensuring the consistent protection of these data. It can also enable and support convergence of frameworks.
In line with this, the OECD encouraged the early development of a Global Privacy Enforcement Network (GPEN). This effort since 2010 now largely overlaps with the GPA. The operational approaches are similar – the GPA and GPEN bring DPAs together, MOUs then shape the bilateral relationships.
That brings me to the European Union.
The data protection authorities of EU member states do not have to rely on a global framework for their interactions, as they all share the same EU legal framework – the General Data Protection Regulation with a well-developed set of rules for cooperation and consistency.
The GDPR provides for compulsory cooperation between competent DPAs, with a one-stop-shop and lead authorities for cross-border issues, mutual assistance, joint operations, where needed, and a European Data Protection Board with representatives from all national authorities to ensure consistency.
The ICO was an integral and active part of this network before Brexit, and as one of the largest DPAs, also played a leading role in the enforcement working group. After Brexit that was obviously no longer the case.
This leads to the question how the regulatory cooperation in data protection between the UK and EU member states is organized after Brexit, or in the words of today’s program: ‘in the post-Brexit era’.
The answer lies partly in Article 50 of the GDPR on international cooperation. In relation to third countries and international organizations – and the UK is now a ‘third country’ – this provision expects both the Commission and supervisory authorities to take ‘appropriate steps’ to accomplish several relevant tasks.
One of those tasks is ‘to develop international cooperation mechanisms to facilitate the effective enforcement of legislation for the protection of personal data’. Another one is ‘to engage ... stakeholders in discussion and activities aimed at furthering international cooperation’ in this field.
It is interesting that both the Commission and supervisory authorities have a task here. Some initiatives may well require action from the Commission, such as proposals for EU legislation or formal international agreements, but other initiatives may well be taken by DPAs. In fact, much of the work already accomplished in the context of the GPA can be considered in this category.
The word ‘appropriate’ also appears in the context of Brexit. In the political declaration about their future relationship, the EU and the UK agreed to make ‘arrangements for appropriate cooperation’ between their data protection regulators.
In the Trade and Cooperation Agreement (TCA) between the EU and the UK, concluded in December last year, both parties undertook ‘to cooperate at bilateral and multilateral levels [...]. Such cooperation may include dialogue, exchanges of expertise, and cooperation on enforcement, as appropriate, with respect to personal data protection.’
Last June, the Commission also adopted an ‘adequacy decision’ with respect to the UK. This meant that the level of protection in the UK was found ‘essentially equivalent’ to that in the EU, as a result of which personal data could continue to flow freely from the EU to the UK, without additional safeguards.
However, the decision contained a ‘sunset clause’. After four years a new determination will be necessary. The present decision could also be withdrawn if developments in the UK would no longer justify an adequacy finding.
Not much progress in regulatory cooperation between the EU and the UK is to be reported since. This may well be due in part to ongoing discussions on the implementation of other aspects of the TCA.
However, the ICO can see the opportunity for an agile and flexible arrangement that enables data sharing and better coordination. There will be important benefits from focusing on the achievement of real outcomes and ensuring that structures and formalities are proportionate.
In other words, thinking more in terms of ‘joined-up’ regulation with strong incentives for multi-national companies to take action to achieve high standards of compliance to common principles. This action needs to be timely and effective.
There are probably two main models of UK-EU cooperation in data protection:
- a centralized or integrated model built around the EDPB and one-stop-shops with lead authorities, as currently provided in the GDPR, and
- a decentralized or loose-knit model built on bilateral relations and MOUs between ICO and targeted DPAs.
One could possibly also imagine a hybrid of these two models, where some activities are centralized and other activities are not. All options have their own obvious benefits and drawbacks, but I will leave these for another day.
At this stage, the ICO is cooperating with several DPAs in the EU on a bilateral basis where needed, and with full respect for each other’s applicable law. One clear example is Ireland.
Data flows between Ireland and the UK are a key issue, in addition to the movement of goods. Services, including in health, are also offered across the border and data flows are vital to their support.
The cooperation between the Irish Data Protection Commission and the ICO has always been strong and constructive. The ICO continues to engage with them when in the public interest.
In this respect, let me also recognize the leading role the Irish DPA plays in regulating some big global players – such as Google, Apple, Facebook, Amazon and Microsoft – with a European establishment in Ireland.
The two offices also recently shared experience on children’s privacy. The ICO’s ‘Age-Appropriate Design Code’ – mandating online service providers to take the best interests of child users into account – has gone live in September after a 12-month transition period, and the Irish DPA has issued new guidance.
All this goes with an important proviso – the UK’s adequacy status under the GDPR. If the present adequacy decision is withdrawn or not continued after four years, the situation will become a lot more difficult, also for regulatory cooperation across borders.
Let me be very clear on this point: ‘essential equivalence’ is not cast in stone and does not require a carbon copy of the GDPR. There is clearly a margin for national variations.
What matters is that a country’s laws and practices provide an essentially equivalent level of protection. In other words, that its laws and practices can deliver essentially the same results as the EU legal framework. Convention 108+ of the Council of Europe has also been recognized as a benchmark for high standards in this respect.
However, if essential elements of protection are missing, that would create a serious obstacle. This is relevant, because a UK data reform consultation has been ongoing, and the UK Government is considering how to proceed.
In its public response, the ICO has been open to the consultation. It is a good practice to review laws to see how they are working. But in its view, the UK must continue to have high standards, which are vital to trust and confidence in the data economy and to what the public expects.
In her foreword to the ICO response in October, Elizabeth Denham, then still Information Commissioner, emphasized the crucial value of an independent regulator and expressed concerns that certain elements of the proposals did not sufficiently safeguard this independence.
Elsewhere she also mentioned the key role of the fairness principle, especially in relation to new technologies, such as Artificial Intelligence. In the ICO’s view it would not be wise to limit the scope of this important principle.
I would be remiss to conclude my remarks here without mentioning another kind of regulatory cooperation, in which data protection regulators may be taking part. That is cooperation across relevant sectors – only national or also international – to ensure better outcomes in a digital economy, and in our increasingly digitalized societies, more in general.
The ICO is fortunate to be member of such a joined-up approach to digital regulation in the ‘Digital Regulation Cooperation Forum’, established in July 2020 together with the Competition and Markets Authority and the Office of Communications, and now also including the Financial Conduct Authority.
In March 2021, the Forum published its first annual plan of work. Priorities include responding strategically to industry and technological developments, developing joined-up approaches and building shared skills and capabilities. In other words, essential work to jointly address the challenges of a digital age.
All this is ultimately meant to underscore how regulatory cooperation across borders can bring new perspectives and new energy, which will benefit the participants in that cooperation as well as their ultimate stakeholders, to which we all belong.
Thanks for your attention.
Peter Hustinx was the first European Data Protection Supervisor from January 2004 until December 2014. In January 2019, he joined the ICO as a non-executive director. He has has also served as a director of the International Association of Privacy Professionals and the Centre for Democracy & Technology (CDT) in Washington DC.