Regulatory Outlook: Data Protection and Privacy

Current issues: February 2019

Progress of the e-Privacy Regulation

It is looking increasingly unlikely that the e-Privacy Regulation – which will replace the existing e-Privacy Directive and will govern the processing of personal data in connection with electronic communications services – will get over the line before the current term of the European Parliament ends in April 2019.

The Council of Ministers acknowledged – in its progress report from December 2018 – that there is a lack of consensus among EU countries on the wording of the draft e-Privacy Regulation.

The Council has to finalise its approach before the trialogue of the final version of the draft e-Privacy Regulation can commence between the Council, the European Commission and the European Parliament.  That trialogue looks unlikely to happen until after European elections in May 2019.

Even once it is adopted, the draft e-Privacy Regulation is not expected to apply until two years after its adoption date, so businesses will – in theory – have plenty of time to implement its requirements.

Whether the e-Privacy Regulation applies in the UK will depend not only on when the Regulation is adopted, and the time period before it then comes into force, but also the duration of any transition period (including any extensions) should the UK-EU Withdrawal Agreement be ratified.

EDPB draft guidelines on the territorial scope of the GDPR

On 23 November 2018, the European Data Protection Board (EDPB) published draft guidelines on the territorial scope of the GDPR.  The EDPB invited comments on those draft guidelines by 18 January 2019.  We expect the final version of the guidelines to be adopted in the next couple of months.

The draft guidance is useful for providing an indication of how the various EEA data protection authorities will assess the application of the GDPR to non-EEA entities.  Nonetheless, we expect that non-EEA entities will still need to adopt a relatively cautious approach, and assess – on a case-by-case basis – whether and to what extent the GDPR is likely to apply to them.

For more, see our Insight on the EDPB draft guidelines.

Max Schrems files complaints against streaming services

On 18 January 2019, “None of your Business” – Max Schrems’ NGO – filed complaints with the Austrian Data Protection Authority against eight companies running streaming services, claiming that their processes for responding to subject access requests, and the information provided by them in response to such requests, do not comply with the requirements of Article 15 of the GDPR.

The response of the Austrian Data Protection Authority to those complaints will – no doubt – be of interest to most businesses, particularly those who have automated processes for responding to subject access requests.

What to expect from the ICO in 2019

We can expect a number of developments from the Information Commissioner’s Office (ICO) in 2019:

  • The ICO is continuing to update and / or replace its codes of practice and guidance documents to reflect the requirements of the GDPR and the Data Protection Act 2018 – businesses are likely to be particularly interested in the updates to the data sharing code of practice, the subject access code of practice and the new direct marketing code of practice.
  • In August 2018, the ICO updated its draft Regulatory Action Policy, which sets out the ICO’s approach to taking action under relevant legislation (including the GDPR and the Data Protection Act 2018). The policy has been laid before Parliament for approval.
  • In January 2019, the ICO opened a consultation on its draft access to information strategy (‘Openness by design’), which is concerned with the ICO’s approach to tackling non-compliance among public authorities with requests for information under the Freedom of Information Act 2000 or the Environmental Information Regulations 2002. The consultation closes on 8 March 2019.
  • In February 2019, the ICO will hold a consultation workshop on the development of its regulatory sandbox: a place where organisations are supported to develop innovative products and services using personal data in different ways.

In Focus: No deal Brexit

What would be the impact of a no deal Brexit for UK businesses trading with the EU?

Through the EU (Withdrawal) Act 2018, EU data protection law (including the GDPR) existing as at 29 March 2019 will be incorporated onto the UK statute book on that day, so while the EU GDPR will not apply directly in the UK, the UK will have its own version.

The main impact of a no deal Brexit would be on the transfer of personal data between the UK and the EU / EEA (in either direction).

There are unlikely to be any immediate restrictions on the transfer of personal data from the UK to the EEA, because the UK government has confirmed that it will transitionally recognise all EEA states as providing an adequate level of protection for personal data.

There will be restrictions on the transfer of personal data from the EEA to the UK because the UK will be a “third country”.  It is extremely unlikely that the UK will secure an adequacy decision from the EU before 29 March 2019, which means that businesses must start identifying which transfers will become restricted transfers on exit date and, in respect of those transfers, incorporate the EU’s standard contractual clauses into relevant agreements.

Another significant impact of a no deal Brexit is that the UK would not have continued participation in the “One-Stop Shop” / Lead Supervisory Authority regime.  This means that businesses who continue to carry out cross-border processing after the UK has left the EU will need to consider which other supervisory authority will become their lead authority (if any).  The ICO considers various scenarios here.

What would be the impact of a no deal Brexit for non-UK businesses trading with the UK?

In addition to the impact in relation to cross-border transfers of personal data (discussed above), non-UK businesses trading with the UK will, in certain circumstances, need to comply with the UK’s data protection framework.

The UK government intends to retain the extraterritoriality of the UK’s data protection framework, so that it will apply to non-UK businesses where:

  • they have offices, branches or establishments in the UK; or
  • they are processing personal data about individuals in the UK in connection with offering them goods and services, or monitoring their behaviour.

In those circumstances, the non-UK business will need to appoint a representative in the UK (unless one of the exceptions applies).

What should businesses be doing now to prepare for a no deal Brexit?

  • Continue with GDPR projects through to completion, as an organisation which is compliant pre-Brexit is likely to be compliant post-Brexit (irrespective of the shape that Brexit takes);
  • Map data flows, specifically identifying where data is received into the UK from the EEA, or where data is transferred from the UK to any country outside the UK;
  • Continue to monitor the position concerning EEA-UK data transfers post-Brexit and consider updating agreements to include standard contractual clauses to legitimise data transfers (as a matter of regulatory law) until such time that the UK is granted adequacy; and
  • Businesses that currently benefit from the Lead Supervisory Authority regime under GDPR will need to carefully consider how the removal of the UK / ICO from this regime will impact them, and whether steps can be taken to mitigate that impact.

We explore the implications of Brexit for data protection in more detail here.

Dates for the Diary

Post-May 2019 The e-Privacy Regulation is not expected to be passed into EU law until after the European elections in May 2019.