On the 25 May 2016, the General Data Protection Regulation ("GDPR") came into force. Before panic ensues, there is now a 2 year implementation period, with the deadline for compliance 25 May 2018. The ICO will shortly be issuing guidance on different aspects of the GDPR, starting with the differences between the current law and the GDPR. We have also heard that the ICO is developing an automated breach notification system. The ICO is preparing and many of our clients are now beginning their compliance regimes in earnest. This month we begin a series of deep dives into certain aspects of the GDPR, with the first of this series looking at the effect of the restrictions on profiling on the insurance sector. You can read our analysis here.
A question that I have been asked a number of times in the last few months is, is there any point in beginning GDPR compliance regimes, if we are facing a potential Brexit? The answer has to be yes. The ICO has made it clear that the UK will need clear and effective data protection laws, whether or not the country remains part of the EU. It is difficult to see how the UK could not implement privacy laws that are at least equivalent to the GDPR. Transferring personal data from countries inside Europe to outside the European Economic Area is subject to restrictions and in many cases a finding of adequacy by the European commission. In the event of Brexit, and the European Commission being asked to assess the standards of data protection law in the UK, they would be looking for the equivalent of the GDPR to be in place. To do anything less would mean the demise of our tech sector, who host and process personal data on behalf of our European neighbours.
On the topic of international transfers, in a predictable twist, we learnt last month that Ireland’s Data Protection Commissioner is to refer the Schrems Facebook case back to the CJEU to determine if Facebook can continue to transfer data from the EU to the US by using EU model clauses. The elephant in the room when the CJEU ruled that safe harbor was not an adequate method of transferring personal data to the US due to the mass surveillance activities of US authorities, was that such surveillance still occurs regardless of the transfer mechanism. Model clauses were still considered an adequate method. Mr Schrems now claims that Facebook USA continues to be subject to US mass surveillance laws, independent of the use of “model causes” or “Safe Harbor” and that his data continues to be subject to fundamental rights violations once it reaches the United States. To see our Irish data protection team's analysis of these events please click here.
However, with this potential step backwards, there has been some positive progress towards a new EU-US data transfer agreement. Please see our report on these steps here.
Moving away from the GDPR, the Queen's speech contained a plethora of proposed digital and data protection related legislation to keep those disappointed with the finalisation of the GDPR, on their toes. To see our summary of these proposals click here.
May was also a very busy month in the world of cyber security with new legislation and guidance placing heightened importance on the need to ensure that all systems, from national infrastructure down to SMEs, are adequately protected from growing cyber threats. See our cyber security round-up here.
Finally please have a look at our ICO enforcement May round-up where we saw fines for insufficient marketing consents, inadvertent disclosures of personal data, and the age old story that the ICO considers training in data protection, a minimum requirement.