It’s going to be a busy year in the technology and communications sector, particularly in the data privacy space. We look at some of the main areas of change.
We’ve been talking about it for a long time now but it’s finally here; the EU’s data protection reform package will apply from 25 May 2018. The GDPR is a complete overhaul of EU data protection law and is accompanied by a Directive which deals with data processing for law enforcement purposes. UK implementation aspects are being covered in the Data Protection Bill which is expected to come into force at the same time as the GDPR.
Also on the horizon is implementation of the Network Information Security Directive (NISD or the Cybersecurity Directive). The UK has still not published its implementing text, having carried out a consultation in September 2017 so there is work to do before the May implementation deadline.
Finally, the EU is also in the process of completing a Regulation which would prevent data localisation requirements in Member States.
In addition to legislative changes, we anticipate another interesting year for data exports to third countries. There is pressure on the CJEU to expedite its decision on the adequacy of Standard Contractual Clauses for data exports to the USA – a reference from Ireland as part of further Schrems litigation. Data exports are also under regulator scrutiny. The Article 29 Working Party (WP29) has called on the US to take a series of steps in relation to EU-US Privacy Shield by 25 May 2018 or face legal action.
In addition to the legislation required to implement the EU reforms, the UK has a number of other pieces of legislation on the statute books or in the pipeline. Part 5 of The Digital Economy Act 2017, provides for data sharing between public bodies under certain circumstances (although is not fully in force) and four data sharing codes of practice are in the consultation stage. The DEA also allows for the ICO to introduce fees to replace the current notification fee, and mandates the ICO to produce a statutory code of practice on direct marketing.
The other area we are likely to see movement on is the Investigatory Powers Act 2016. The IPA deals with access to and retention of communications data. At the end of 2017, the government acknowledged that part of it did not comply with EU law and began consulting on changes. The IPA is currently seen as a potential stumbling block to a post-Brexit adequacy decision for the purposes of data exports from the EU to the UK, so amending it to the satisfaction of the EU is likely to be a priority in 2018.
There is a lot of change for businesses to digest this year but the threat of hefty sanctions for non-compliance under the GDPR (up to 4% of annual global turnover), should focus the mind. Our Global Data Hub provides a wealth of information and interactive resources about the changes.
Digital Single Market
The EU is likely to ramp up activity on the Digital Single Market as the end of the Junker presidency looms. As part of its mid-term review of the DSM project, the Commission highlighted three key areas as requiring further action: the data economy, cybersecurity and online platforms.
The Regulation on portability of online content will apply from 1 April 2018. The overarching aim of the Regulation is to ensure that consumers can benefit from online content services they have lawfully paid for, when they are temporarily in Member States outside their State of residence. This will benefit EU citizens on holiday, travelling in the EU on business, or temporarily studying in another Member State.
The EC has also announced political agreement on the Regulation to address unjustified geo-blocking and on the Regulation on cross-border parcel delivery services. While not specifically part of the DSM initiative, it’s also worth noting that the Trade Secrets Directive must be implemented by 9 June 2018.
The Commission’s 2018 Work Programme prioritised completion of the Electronic Communications Code, the proposed copyright reform, cybersecurity proposals and consumer protection proposals. Alongside this, the EC plans to present proposals on fairness in platform-to-business relations, countering fake news and revising guidelines on significant market power in the electronic communications sector. In addition, it has highlighted facilitating the development of new technologies including autonomous vehicles and AI.
The EU is in the process of overhauling its telecoms Directives to produce a new Electronic Communications Code. Negotiations will continue in 2018. The Council has set June 2018 as the deadline for agreeing a position with the Parliament but full implementation is unlikely to take place before 2020. The reforms will, among other things, cover 5G rollout, a widening of regulator scope to cover services provided over the internet, and updating infrastructure regulation. At the same time, the Commission is also in the process of reforming the governance structure and reshaping the role of BEREC and, as mentioned above, completing the ePrivacy Regulation.
The UK’s revised Electronic Communications Code which deals with installation of telecommunications infrastructure came into force at the end of 2017. The Investigatory Powers Act which, as mentioned above, deals with access to and retention of communications data is not yet in force. The government is consulting on amendments which are expected to be finalised this year. 2018 will also see the auction of spectrum to facilitate 5G rollout, and the initial stages of bringing the broadband universal service obligation into effect.
The revised Directive on payment services (PSD2) was implemented in the UK by the Payment Services Regulations 2017, which came into effect on 13 January 2018. PSD2 aims to bring about a more effective European payments market which is secure and protects consumers. Not all provisions currently apply. The EBA will be developing regulatory technical standards on strong customer authentication and common and secure communication but these are unlikely to be finalised during 2018.
MIFID II and the Markets in Financial Instruments Regulation (MiFIR) came into effect on 3 January 2018. They replace the Market in Financial Instruments Directive 2004 (MiFID) and overhaul the legal framework applicable to investment firms, trading venues, data reporting service providers and third-country firms providing investment services or activities in the EU. The FCA has made changes to its rules and guidance to ensure UK compliance and some new legislation has been introduced. Changes include to rules on telephone taping and trade data and transaction reporting.
We can’t leave out Brexit. Leaving aside the progress of negotiations, we can expect to see the Withdrawal Bill finalised this year. It is, however, unlikely to provide much clarity on how any transition period will work or what the reality of Brexit will look like.
Certainly the EU expects the UK to continue to implement incoming EU law and CJEU decisions until at least the end of any transition period although details have yet to be ironed out. This means that those in the UK need to continue to pay close attention to EU legal developments in 2018, and assume they will need to act on them as normal.