General Data Protection Regulation (GDPR)
The GDPR will take effect across the EU from 25 May 2018. The GDPR introduces some significant changes that have the potential to have a profound impact on many businesses that collect and use information about individuals.
In December 2017, the Article 29 Working Party published its new draft guidelines on transparency and consent. We can expect the Article 29 Working Party to publish its final version of these guidelines over the next few months, along with:
- revised versions of its guidelines on breach notification and automated decision-making and profiling; and
- guidelines on data transfers to third countries.
We are also expecting guidance from the Information Commissioner’s Office (ICO) in the form of its ‘Guide to the GDPR’. The ICO also intends to publish detailed guidance on consent and on the other lawful bases for processing (including legitimate interests).
You can find out more about the GDPR on Osborne Clarke’s dedicated GDPR feature page.
Data Protection Bill
In September 2017, the Data Protection Bill was introduced into Parliament. The Bill is principally designed to:
- implement and supplement key standards under the GDPR;
- outline where UK law will deviate from certain GDPR provisions; and
- update and strengthen UK law to make the shift to the GDPR (and the UK’s transition out of the EEA) as simple and as smooth as possible for businesses.
The Bill is currently making its way through the legislative process (you can keep up-to-date on its progress here). Irrespective of the progress of the Data Protection Bill, businesses should continue with GDPR projects as planned, while weaving core themes and likely changes under the Bill into those activities. For example, employers currently mapping data or assessing the legal bases on which they process special categories of personal data and criminal convictions data will need to also consider preparing, as part of their remedial measures, an appropriate policy document to ensure their obligations in respect of those types of data are fully satisfied (this is one of the current requirements of the Data Protection Bill).
Data transfers outside the EEA
In a much-anticipated judgment, the Irish High Court decided to ask the Court of Justice of the European Union (CJEU) to rule on the case of Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems as to the validity of the standard contractual clauses for legitimising transfers of personal data outside the EEA (otherwise known as the “Model Clauses”). The intended referral to the CJEU does not mean that the Model Clauses are now invalid. It is likely to take some time for the CJEU to pass judgment on the Model Clauses, so until we hear anything different (from the CJEU or from regulators), the Model Clauses should continue to be used where appropriate.
On 8 September 2017, the European Commission published its first proposed revision to the draft Regulation on Privacy and Electronic Communications (e-Privacy Regulation). This will replace the existing e-Privacy Directive (implemented in the UK by the Privacy and Electronic Communications Regulations 2003). The e-Privacy Regulation aims to reinforce trust and security in digital services in the EU, by ensuring a high level of protection for privacy and confidentiality in the electronic communications sector, as well as seeking to ensure the free flow of movement of personal data and electronic communications equipment and services in the EU.
- The draft e-Privacy Regulation introduces significant reforms (summarised here), including in relation to the (much broader) scope and territorial application of the rules, the processing of “electronic communications data”, and the so-called “cookies” rules (which cover a much wider range of technologies and activities than simply posting and accessing cookies).
- The original ambition of the European Commission was for the e-Privacy Regulation to come into effect on 25 May 2018 – the same date as the GDPR. However, this seems optimistic, especially as there has been no proposed transition period for businesses needing to comply with it.
Dates for the diary
|Early 2018||ICO’s Guide to the GDPR due to be published.|
|Early 2018||ICO’s guidance on the other lawful bases for processing, including legitimate interests, due to be published.|
|Early 2018||Further guidance from the Article 29 Working Party expected.|
|25 May 2018||e-Privacy Regulation (once finalised) intended to come into effect.|
|25 May 2018||The GDPR comes into effect.|