Update on changes to data protection legislation
Changes are afoot in data protection law. Last year the European Parliament voted in favour of the EU General Data Protection Regulation, which would significantly expand data protection laws within the EU. However, the European Council has yet to agree, and the Regulation remains the subject of considerable debate, particularly regarding the proposed creation of a European Data Protection Board as a “one stop shop” for cross-border disputes. While some issues have been provisionally agreed, ultimately the approach is that “nothing is agreed until everything is agreed” and as the Council has no deadline by which to reach a decision, it seems unlikely that an agreement will be reached this year.
The current position in the UK is set out in the Data Protection Act 1998 (DPA), which implements the EU’s Data Protection Directive 1995. The new Regulation will apply directly to UK law, and won’t need to be implemented by a UK statute.
The current draft Regulation is considerably more detailed than the Directive or the UK Act, and contains a number of changes which will give data protection laws greater stringency, more power, and a broader scope. For example, the Regulation will apply to both “data controllers” (who collect and control data) and “data processors” (who process data on behalf of controllers) as opposed to just controllers. It also applies to non-EU controllers whose activities relate to the offering of goods or services to EU data subjects or the monitoring of their behaviour. This expansion is likely to catch online retailers and ad-providers in particular.
As the Regulation would apply directly to member states, the UK will not have the ability to implement slightly looser domestic legislation, as it did with the DPA. In particular, UK practice arguably does not currently follow the Directive in relation to the requirements for data subject consent for data processing. The current requirements in the UK are for freely given, specific and informed consent to any processing. The Regulation includes a requirement that the consent be explicit, which would represent a major change in current UK practice, where implied consent is often accepted as sufficient.
The UK government and Information Commissioner’s Office have expressed some scepticism about the proposed changes, in particular the fact that they will be structured as a regulation rather than a directive (allowing less flexibility for member states) and the potential powers of the European Data Protection Board. Despite the UK’s relative conservatism on this subject, the majority of member states are in favour of the current template, and although they may be some time coming, significant developments are on their way.