UK’s ICO and EDPS Sign Memorandum of Understanding

On November 8, 2023, the UK’s Information Commissioner Office (ICO) and the European Data Protection Supervisor (EDPS) signed an agreement, referred to as MoU, called ‘Memorandum of Understanding for Cooperation in the Application of Laws Protecting Personal Data.’

According to the Cambridge Dictionary, a ‘memorandum of understanding’ is “a document that records the details of an agreement between two companies or organizations, which has not yet been legally approved.” In the context of the agreement between the two parties, the document is in no way a legally binding agreement and there is no indication that it would be followed by any legal obligation for either one of the two organizations. 

As stated in the ICO’s press release on the topic, it “reinforces [the two parties’] common mission to uphold individuals’ data protection and privacy rights, and cooperate internationally to achieve this goal” and it “sets out how the authorities will continue to share experiences and best practices; cooperate on specific projects of interest; share information or intelligence to support their regulatory work; and, promote dialogue among data protection authorities and other digital regulators.”

The MoU comes to establish a framework for cooperation between the UK’s Information Commissioner and the EDPS in the context of the increasing need for cross-border cooperation as regards the flow and exchange of personal information. The document outlines the role and responsibilities of each of the two organizations and describes a series of “broad principles of collaboration between [the two] and the legal framework governing the sharing of relevant information and intelligence between them.” The scope of cooperation between the ICO and the EDPS (the Participants) is their shared interest in collaborating in order to

• “ensure that the Participants are able to deliver the regulatory cooperation necessary to underpin the data-based society and protect the fundamental rights of citizens of the United Kingdom and individuals in the European Union respectively, in accordance with the applicable laws of the Participants’ respective jurisdictions;
• cooperate with respect to the enforcement of their respective applicable data protection and privacy laws;
• keep each other informed of developments in their respective jurisdictions having a bearing on this MoU; and
• recognise parallel or joint investigations or enforcement actions by the Participants as priority issues for cooperation.”

In order to achieve these purposes, any cooperation between the two may include:

• “sharing of experiences and exchange of best practices on data protection policies, education and training programmes;
• sharing of information about respective priorities for regulatory actions, including policy and enforcement priorities;
• implementation of joint research projects and joint publications;
• sharing of experiences and lessons learned from regulatory cooperation and coordination activities at national, regional or international level.
• co-operation in promoting dialogue among data protection authorities and other digital regulators (including competition and consumer protection authorities) to explore synergies and ensure a consistent application of digital regulations;
• exchange of information (excluding personal data) involving potential or ongoing investigations of organisations in the respective jurisdictions in relation to a contravention of personal data protection legislation;
• secondment of staff;
• mutual assistance, consultations, operational visits, data protection audits or inspections, investigations or joint investigations into cross border personal data incidents involving organisations in both jurisdictions (excluding sharing of personal data);
• convening bilateral meetings at least every six months or as mutually decided between the Participants; and
• any other areas of cooperation as mutually decided by the Participants.”

There would be no sharing of personal data as a default means of cooperation and for cases where this would be necessary, “for example in relation to any cross border personal data incidents involving organisations in both jurisdictions, each Participant will consider compliance with its own applicable data protection laws, which may require the Participants to enter into a written agreement or further arrangements governing the sharing of such personal data.” For any instance where information is shared between the two, “appropriate confidentiality and security measures will be agreed to protect information” and “where confidential material is shared between the Participants it will be marked with the appropriate security classification by the Sender.”

The MoU went into effect upon its being signed by the ICO and the EDPS, on November 8, 2023 and will remain into effect unless either a review of the agreement or its termination is requested by either one of the Participants. A review will be conducted with the participation of both and a termination will take place “upon three months’ written notice” from the requesting Participant to the other Participant. 

The heads of the two organizations made statements regarding the MoU as follows: 

“Today's MoU formalizes the existing and ongoing collaboration between my office and the EDPS. We’ll continue to work together both bilaterally, and in other international groups, to find pragmatic solutions to ensure that organisations are supported and aware of their data protection, while upholding people’s information rights.”
John Edwards, UK Information Commissioner

“This MoU aims to further strengthen the EDPS and ICO’s joint commitment to ensure a consistent and coherent approach to the protection of individuals’ rights to privacy and data protection. This document maps out concretely how both of our authorities, with our respective experiences and knowledge, plan to prioritise individuals’ fundamental rights across the EU and the UK.”
Wojciech Wiewiórowski, European Data Protection Supervisor