2016 saw further seismic changes to the data protection framework globally and, in particular, the EU. The year heralded the long-negotiated GDPR, the NIS Directive, the Privacy Shield and ended with a flurry of further developments at EU and UK level.
We have pulled together a summary of key developments as well as things to watch out for in 2017.
Article 29 Working Party ("WP29") Guidelines on GDPR
The WP29 adopted guidelines on three major GDPR requirements, namely:
The draft e-Privacy Regulation
The European Commission's proposal for the Privacy and Electronic Communications Regulation ('e-Privacy Regulation') was published. Some key points are:
- enhanced harmonisation and consistency with the GDPR
- two-tier system of fines aligned to GDPR
- applicability extended to OTT
The Commission intends that the regulation would apply from 25 May 2018.
GDPR and Brexit
After months of uncertainty, the UK Government has made clear that the GDPR will apply in the UK. UK-based businesses need to get ready for GDPR regardless of whether and to what extent GDPR requirements will apply post- Brexit. The ICO position is clear - non compliance for UK based organisations is not an option.
In its recently published Cyber Security Regulation and Incentives Review, the UK Government has announced that it will set out the requirements to implement the NIS Directive which will be overseen by the new National Cyber Security Centre (NCSC).
The UK Digital Economy Bill currently proposes liability upon directors for serious breaches of the UK Privacy and Electronic Communications Regulations. Directors will be held liable for violations of the rules on direct marketing including so-called nuisance calls.
UK Investigatory Powers Act 2016
The CJEU ruled on the Data Retention and Investigatory Powers Act 2014 holding that EU member states cannot impose retention of personal data on a general basis. This challenges the legality of the newly adopted Investigatory Powers Act 2016 which appears to impose data retention beyond what is currently accepted by the CJEU.
Things to watch out for in 2017
Here's a (non-exhaustive) list of things to watch out in the year ahead:
On data transfers:
- decision on the validity of the current EU Standard Contract Clauses
- annual joint EU-US revision of the Privacy Shield
- further guidance of the WP29 on GDPR on DPIAs and Certification mechanisms
- a Fab-Lab in April 2017 held by WP29
- carve outs under GDPR
On other EU legislation:
- implementation of NIS Directive
- negotiations for the adoption of the e-Privacy Regulation
On the UK:
- development and outcome of Brexit talks
- adoption of the Digital Economy Act
- Court of Appeal's decision on data retention practices
For a more in-depth look at all of the above, please see our Data Protection and Cybersecurity UK Update Alert here.