The Polish Data Protection Authority, GIODO (Generalny Inspektor Ochrony Danych Osobowych), as well as data controllers and data processors in Poland are currently preparing for the General Data Protection Regulation (GDPR). Among other things, GIODO has recently proposed that Administrators of Information Security (so-called “ABIs”, or Administratorzy Bezpieczeństwa Informacji – the Polish counterparts of Data Protection Officers), who are registered in the national register kept by GIODO, will ex lege become Data Protection Officers under the GDPR. According to information on GIODO’s website: “one of the provisions that should be included in the new personal data protection act, pursuant to the necessity to implement the GDPR, is a transitional provision, according to which the ABIs registered in a national, open register should ex lege become Data Protection Officers” (available here in Polish).
This statement is explained by the current status and competencies of ABIs. The function of ABI, in its current state, was introduced in Poland on 1 January 2015 with the aim of preparing a group of privacy professionals to meet the requirements of the GDPR and increasing the professionalisation of this role in organisations. In GIODO’s opinion, its proposal will make “information security administrators who have met all the criteria currently required to fulfill this function [i.e. under Polish regulations] able to continue performing this function without having to take into consideration any further formal actions”. However, this position raises some doubts because, despite their close similarities, the status of ABIs and DPOs is somewhat different. As a result, it does not seem plausible that national data controllers could “automatically” change the name ‘ABI’ into ‘DPO’ without taking any further action, e.g. in relation to a DPO’s obligation to act as a contact point for data subjects and the supervisory authority.
This was one of many issues raised by GIODO in the proposed procedure prepared by a special team working on the reform of data protection law in Poland, appointed by GIODO on 8 July 2016. The draft of this procedure (“Proposed procedures before the Inspector General”, available here in Polish) was sent to the Ministry of Digital Affairs on 27 January 2017, where it is currently subject to further work.
The UK Government has today published a white paper setting out its approach to the forthcoming negotiations on exiting the European Union, and its vision for a ‘post-Brexit’ settlement. In a chapter entitled ‘Ensuring free trade with European markets’, the white paper outlines the Government’s intention to retain data protection standards in the UK which are equivalent to those in the EU.
The free flow of data between the UK and continental Europe is an important foundation of cross-border trade, and a fact of life for many UK and EU businesses and consumers. EU law, both in its current form through Directive 95/46/EC, and in the General Data Protection Regulation (“GDPR“), which will apply from May 2018 onwards, restricts the transfer of personal data from the EU to ‘third countries’ which do not have a level of data protection recognised as equivalent by the European Commission. This is expressly addressed in the white paper, which commits the Government to seek a solution which preserves stable data transfers between the UK and EU once the UK officially becomes a third country:
8.39 The European Commission is able to recognise data protection standards in third countries as being essentially equivalent to those in the EU, meaning that EU companies are able to transfer data to those countries freely.
8.40 As we leave the EU, we will seek to maintain the stability of data transfer between EU Member States and the UK.
Whilst an equivalency decision is not specifically referred to as the Government’s goal, this is a strong indication that the UK is not planning to deviate significantly from the GDPR standards which it will adopt, whilst it is almost certainly still a member of the EU, in May 2018.
The statements contained in the white paper are the latest in a line of public pronouncements which have helped to give a degree of clarity and reassurance around the UK Government’s plans for data protection law in the UK in the wake of Brexit. In her first speech as the new Information Commissioner in September 2016, Elizabeth Denham talked about the ‘fundamental importance’ of data flows between the UK and the EU, and about the need for consistency of law and standards. More recently, the UK’s Data Protection Minister, Matt Hancock, confirmed in evidence given to the House of Lords Home Affairs sub-committee that (i) the UK will implement the GDPR in full in May 2018; and (ii) that, as and when the UK revaluates its legal framework post-Brexit, it needs to prioritise data sharing with international partners.
Given the potential for upheaval caused by Brexit across a whole range of areas which are based, directly or indirectly, on EU law, it is encouraging to be given an indication that the UK is leaning towards a strategy of stability and equivalence in the field of data protection. The GDPR represents a once-in-a-generation change in data protection and privacy law, which the UK Government, the ICO and businesses have been gearing up to for several years. The inference from these latest statements is that that preparation will not be in vain, and that the broad framework of the GDPR will be the basis for UK data protection law both in sixteen months’ time, and in the eventual post-Brexit landscape.