Data Protection and Privacy Update – Spring 2017
The General Data Protection Regulation
The GDPR is a key piece of European legislation which will impact most businesses (many of them quite significantly) requiring management time and expense in order to put in place new compliance systems. Understandably then, after the referendum there were questions about whether UK businesses would be subject to the GDPR if the UK exited the EU prior to the GDPR implementation date in May 2018. However, the timing of the Government’s service of notice under Article 50 has meant that the GDPR will almost definitely be in force before we exit the EU, so if they haven’t already done so, businesses must start now to look at what steps they will need to take to update their systems, policies and processes.
Early in 2017, the European Commission published a draft E-Privacy Regulation, which will replace the current E-Privacy Directive, and is aimed to address the continuing evolution of internet communications (in particular, “over-the-top” communications services like WhatsApp). The new E-Privacy Regulation (like the GDPR) will be directly applicable to all member states upon implementation. The Commission has set the ambitious deadline of implementing the E-Privacy Regulation on 25 May 2018 alongside the GDPR, meaning it would apply to the UK at that point.
It’s not certain what level of changes the draft E-Privacy Regulation will be subject to before it is finalised, but the current text will be hugely relevant to all electronic communications service providers, including any businesses offering an electronic communication tool to users (even if it’s incidental to their main service), like dating or other messaging apps, video game services, travel and e-commerce sites, email platform and VOIP services for example. In fact, most businesses will be caught by the Regulation to some extent because it also applies to those providing online tracking technologies (cookies or device fingerprinting for example), interconnected devices (“internet of things”), and those which carry out electronic direct marketing.
The good news for the majority of UK businesses is that the draft E-Privacy Regulation does not materially change the current rules on marketing emails or texts sent to consumers (although this may be expanded to business recipients), and the cookie consent obligations appear to be moving more towards browser providers and away from website operators. That said, the current draft increases the cap on fines for non-compliance in line with eye-watering levels in the GDPR (depending on the offence, up to €10m or €20m or 2% or 4% of worldwide annual turnover).
Looking forward 2 years the post-Brexit position remains unclear in relation to both the GDPR and the draft E-Privacy Regulation. The Great Repeal Bill, details of which were published at the end of March but which is due to come into force on the day the UK actually leaves the EU, aims to ensure “European Law” will no longer apply in the UK. However, its immediate effect will be to copy across all existing EU legislation into domestic law. Therefore those hoping for an easing in laws regulating data protection and privacy will be disappointed, at least in the short term. In the longer term too, the sheer number of cross-border data transfers between the UK and EU will require some form of official arrangement to ensure that UK businesses aren’t hindered by the need for complex contractual provisions in their EU dealings, and current government sentiment appears to be in favour of continued robust data protection law. The two most obvious options are an “adequacy decision”, or an equivalent to the “Privacy Shield” arrangement currently in place between the EU and US.
An “adequacy decision” is essentially a certification from the EU that a jurisdiction’s personal data protection regime is adequate, and so that data can be transferred without any further safeguards (essentially as though it was within the EU). While the UK hasn’t yet committed to achieving an adequacy decision, it seems that, unless it repeals the GDPR and E-Privacy Regulation, it should be relatively simply to achieve this certification initially. The difficulty arises when these regulations are amended, or EU court cases result in different readings from UK courts.
If the UK were to lose (or never achieve) an adequacy decision, the most likely alternative will be an equivalent of the “Privacy Shield” arrangement, which provides a framework for US businesses to opt-in to EU data protection requirements and so be able to receive personal data from the EU without further safeguarding.
It’s worth remembering that the extra-territorial effect of both the GDPR and the draft E-Privacy Regulation mean that they will continue to apply, regardless of what form Brexit takes, to any UK businesses in their dealings with end-users who are within the EU.
See our guides for more detail on the requirements of the GDPR.
The Information Commissioner’s Office (ICO) website is providing guidance on the GDPR and how to comply with it, available here.