On November 8, 2023, the UK’s Information Commissioner Office (ICO) and the European Data Protection Supervisor (EDPS) signed an agreement, referred to as MoU, called ‘Memorandum of Understanding for Cooperation in the Application of Laws Protecting Personal Data.’
According to the Cambridge Dictionary, a ‘memorandum of understanding’ is “a document that records the details of an agreement between two companies or organizations, which has not yet been legally approved.” In the context of the agreement between the two parties, the document is in no way a legally binding agreement and there is no indication that it would be followed by any legal obligation for either one of the two organizations.
As stated in the ICO’s press release on the topic, it “reinforces [the two parties’] common mission to uphold individuals’ data protection and privacy rights, and cooperate internationally to achieve this goal” and it “sets out how the authorities will continue to share experiences and best practices; cooperate on specific projects of interest; share information or intelligence to support their regulatory work; and, promote dialogue among data protection authorities and other digital regulators.”
The MoU comes to establish a framework for cooperation between the UK’s Information Commissioner and the EDPS in the context of the increasing need for cross-border cooperation as regards the flow and exchange of personal information. The document outlines the role and responsibilities of each of the two organizations and describes a series of “broad principles of collaboration between [the two] and the legal framework governing the sharing of relevant information and intelligence between them.” The scope of cooperation between the ICO and the EDPS (the Participants) is their shared interest in collaborating in order to
In order to achieve these purposes, any cooperation between the two may include:
There would be no sharing of personal data as a default means of cooperation and for cases where this would be necessary, “for example in relation to any cross border personal data incidents involving organisations in both jurisdictions, each Participant will consider compliance with its own applicable data protection laws, which may require the Participants to enter into a written agreement or further arrangements governing the sharing of such personal data.” For any instance where information is shared between the two, “appropriate confidentiality and security measures will be agreed to protect information” and “where confidential material is shared between the Participants it will be marked with the appropriate security classification by the Sender.”
The MoU went into effect upon its being signed by the ICO and the EDPS, on November 8, 2023 and will remain into effect unless either a review of the agreement or its termination is requested by either one of the Participants. A review will be conducted with the participation of both and a termination will take place “upon three months’ written notice” from the requesting Participant to the other Participant.
The heads of the two organizations made statements regarding the MoU as follows:
“Today's MoU formalizes the existing and ongoing collaboration between my office and the EDPS. We’ll continue to work together both bilaterally, and in other international groups, to find pragmatic solutions to ensure that organisations are supported and aware of their data protection, while upholding people’s information rights.”
John Edwards, UK Information Commissioner
“This MoU aims to further strengthen the EDPS and ICO’s joint commitment to ensure a consistent and coherent approach to the protection of individuals’ rights to privacy and data protection. This document maps out concretely how both of our authorities, with our respective experiences and knowledge, plan to prioritise individuals’ fundamental rights across the EU and the UK.”
Wojciech Wiewiórowski, European Data Protection Supervisor