United Kingdom: Issued Information Commissioner's opinion on Data Protection and Digital Information (No. 2) Bill, including cross-border data transfer regulation

On 30 May 2023, the Information Commissioner (ICO) published its opinion on the Data Protection and Digital Information (No.2) Bill. The ICO is an independent institution that enforces data protection regulations. In particular, ICO supports the inclusion of legislative language that confirms adequate regulations for data transfers to third countries or international organisations, which can only be approved if the Secretary of State determines that the data protection requirements are met. The ICO suggests that the factors the Secretary of State considers in determining the fulfilment of the data protection requirements should be expanded and clarified. Furthermore, the ICO recommends specifying that matters considered by the Secretary of State should not outweigh or take precedence over the need to meet the data protection test. The ICO also recommends a clear distinction between decision-making processes for selecting countries for adequacy regulations and determining whether a country meets the data protection requirements. Such clarity would improve regulatory certainty.