The day’s top stories from around the world
Where the real conversations in privacy happen
Original reporting and feature articles on the latest privacy developments
Alerts and legal analysis of legislative trends
Exploring the technology of privacy
A roundup of the top Canadian privacy news
A roundup of the top European data protection news
A roundup of the top privacy news from the Asia-Pacific region
A roundup of the top privacy news from Latin America
A roundup of US privacy news
Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.
Advisory Board, KnowledgeNet Chapter Chair and Young Privacy Professional applications are now open. (Leadership positions are for members only. Join today.)
Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.
Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.
Locate and network with fellow privacy professionals using this peer-to-peer directory.
Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.
Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.
Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.
Develop the skills to design, build and operate a comprehensive data protection program.
Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.
Introductory training that builds organizations of professionals with working privacy knowledge.
Learn the legal, operational and compliance requirements of the EU regulation and its global influence.
Meet the stringent requirements to earn this American Bar Association-certified designation.
The global standard for the go-to person for privacy laws, regulations and frameworks
The first and only privacy certification for professionals who manage day-to-day operations
As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.
Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.
The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.
The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for GDPR readiness. Learn more today.
Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.
Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Use the Vendor Demo Center, Privacy Vendor List and Privacy Tech Vendor Report to easily identify privacy products and services to support your work.
On this topic page, you can find the IAPP’s collection of coverage, analysis and resources related to international data transfers.
The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
This tracker organizes the privacy-related bills proposed in Congress to keep our members informed of developments within the federal privacy landscape.
Access all reports and surveys published by the IAPP.
Access all white papers published by the IAPP.
IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
The IAPP’s EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you’re meeting your obligations.
This chart maps several comprehensive data protection laws to assist our members in understanding how data protection is being approached around the world.
This interactive tool provides IAPP members access to critical GDPR resources — all in one location.
Join DACH-region data protection professionals for practical discussions of issues and solutions. Presented in German and English.
P.S.R. 2022 is the place for speakers, workshops and networking focused on the intersection of privacy and technology.
Europe’s top experts predict the evolving landscape and give insights into best practices for your privacy programme.
Gain exclusive insights about the ever-changing data privacy landscape in ANZ and beyond.
Explore the full range of U.K. data protection issues, from global policy to daily operational details.
Concentrated learning, sharing, and networking with all sessions delivered in parallel tracks — one in French, the other in English.
The world’s top privacy conference. Whether you work in the public or private sector, anywhere in the world, the Summit is your can’t-miss event.
View our open calls and submission instructions.
Increase visibility for your organization — check out sponsorship opportunities today.
Review upcoming IAPP conferences to see which need to be included in your schedule for the year ahead.
Start taking advantage of the many IAPP member benefits today
See our list of high-profile corporate members—and find out why you should become one, too
Don’t miss out for a minute—continue accessing your benefits
Review current member benefits available to Australia and New Zealand members
The United Kingdom’s post-Brexit reform of its data protection laws took another step forward Friday with the government’s final response to its data consultation. Initially launched September 2021 under “Data: a new direction,” and opened to public comment for ten weeks, the final response features several incremental reforms, such as altering some accountability provisions including the removal of a data protection officer requirement, adding an opt-out model for a wide swath of online tracking, and updates to the U.K. Information Commissioner’s Office.
“Today is an important step in cementing post-Brexit Britain’s position as a science and tech superpower,” Digital Secretary Nadine Dorries said. “Our new Data Reform Bill will make it easier for businesses and researchers to unlock the power of data to grow the economy and improve society, but retains our global gold standard for data protection.”
“Data is the fuel of the digital age,” said MP and Minister of State at the Department for Digital, Culture, Media & Sport Julia Lopez. “We need to use it in a more innovative, flexible way — while keeping high privacy standards — to drive scientific advance, help businesses and deliver better services to citizens. Today, we set out how we’ll do that.”
The extensive document comes after the government heard nearly 3,000 responses from the public and more than 40 roundtables with stakeholders from academia, technology and industry, as well as consumer rights groups. The response features 30 headings across five chapters: Reducing barriers to responsible innovation; mitigating burdens on businesses and improving better outcomes for people; minimizing barriers to data flows; improving public services; and reform of the ICO.
“I share and support the ambition of these reforms,” U.K. Information Commissioner John Edwards said. “I am pleased to see the government has taken our concerns about independence on board. … The proposed changes will ensure my office can continue to operate as a trusted, fair and impartial regulator, and enable us to be more flexible and target our action in response to the greatest harms.”
Notably, the government acknowledged there were concerns from stakeholders about the removal of requirements for data protection impact assessments and DPOs. Instead of a DPO requirement, the government seeks more flexibility for accountability. To bolster the implementation of what the government calls “privacy management programmes,” the U.K. will remove requirements to designate a DPO, conduct DPIAs and maintain a record of processing activities. Instead, “complimentary measures” would include “appointing a suitable senior individual to be responsible for the programme,” implementation of “risk assessment tools which help assess, identify and mitigate risks,” and “a more flexible record keeping requirement.”
Regarding transborder data flows, “the government sets out the importance of removing unnecessary barriers to cross-border data flows, including by progressing an ambitious programme of adequacy assessments.” The government acknowledged there were concerns about data flows and U.K. adequacy with the EU.
“As the government made clear in the consultation, we believe it is perfectly possible and reasonable to expect the U.K. to maintain EU adequacy as it designs a future regime,” the final document states. “EU adequacy decisions do not require an ‘adequate’ country to have the same rules, and our view is that reform of U.K. legislation on personal data is compatible with maintaining flows of personal data from Europe.”
Centre for Information Policy Leadership Senior Data Strategy and Privacy Policy Advisor Vivienne Artz applauded the government’s approach to data transfers, saying, “The more outcome-focused and flexible approach to adequacy in relation to data transfers is a welcome approach in support of the global digital and interconnected economy, where many jurisdictions are introducing more restrictions on data transfers.”
Another significant change will involve cookie consent. The government makes clear in the final consultation that it “intends to move to an opt-out model of consent for cookies placed by websites. In practice, this would mean cookies could be set without seeking consent, but the website must give the web user clear information about how to opt out.” However, the opt-out model would not apply to websites “likely to be accessed by children.”
Hogan Lovells Partner Eduardo Ustaran, CIPP/E, said, “The government has decided to adopt a fairly cautious approach with myriad changes that are very unlikely to threaten the adequacy status. The proposals are more telling about what will not be implemented than what will be implemented. That may signal to those who were concerned about the prospect of radical changes that the government is not seeking to diverge for the sake of diverging. But at the same time, some may be disappointed that the approach is not bolder.”
One such area where there will not be reform involves Article 22 in the U.K. General Data Protection Regulation, covering automated-decision making. However, the government plans to publish a white paper on artificial intelligence governance. This follows the publication last year of the National AI Strategy.
“It appears the government has pushed back on some of the more radical suggestions — such as replacing the (EU) GDPR with an entirely new framework of citizen data rights — and instead opted for incremental reform of the current framework,” said Linklaters’ Peter Church. “This is hardly a surprise given data protection laws are now a global norm and the (EU) GDPR is the template upon which many of those laws are based.”
CIPL President Bojana Bellamy, CIPP/E, said, “The U.K. Government’s plan to reform data protection regime is bold and much-needed in the modern digital and data driven age. It could be a win-win for all — organisations, individuals, and society. It enables organisations to leverage data responsibly, for economic and societal benefits and to build their brand as trusted data stewards. It gives individuals assurances and more effective protection from genuine harms. Accountability, risk- and outcome-based approach will be welcomed by all — these are the founding blocks of modern regulation and a modern regulator. I hope other countries follow the U.K.’s lead.”
However, not all stakeholders approve of the reforms.
Privacy advocacy organization Open Rights Group says the reforms will offer less choice for individuals and less accountability to bad actors. It is also concerned the independence of the ICO could be threatened, noting the Secretary of State will gain the ability to amend the commissioner’s salary, issue a “statement of priorities” to the ICO, and veto adoption of statutory codes and guidance, “thus exposing the ICO to political direction.”
In public comments, however, the ICO said, “We look forward to continuing to work constructively with the government as the proposals are progressed and will continue to monitor how these reforms are expressed in the Bill.”
The IAPP will continue to follow along with the U.K. data reforms and provide an in-depth look at the final consultation response.
Photo by Marcin Nowak on Unsplash
Submit for CPEs
If you want to comment on this post, you need to login.
The IAPP is the largest and most comprehensive global information privacy community and resource. Founded in 2000, the IAPP is a not-for-profit organization that helps define, promote and improve the privacy profession globally.
The IAPP is the only place you’ll find a comprehensive body of resources, knowledge and experts to help you navigate the complex landscape of today’s data-driven world. We offer individual, corporate and group memberships, and all members have access to an extensive array of benefits.
© 2022 International Association of Privacy Professionals.
All rights reserved.
Pease International Tradeport, 75 Rochester Ave.
Portsmouth, NH 03801 USA • +1 603.427.9200