While Brexit is undoubtedly going to dominate 2019, it will certainly not derail the EU's legislative agenda although it may slow things down in the UK. We are also expecting some significant court decisions this year.

Data privacy


The UK government recently published the draft Data Protection, Privacy and Electronic Communications (Amendment etc.) (EU Exit) Regulations 2016. These are intended to come into effect on exit day but will not apply in full if there is a transition period. The Regulations consolidate the EU GDPR and the UK DPA18 to create the UK GDPR and provide for uninterrupted data flows from the UK to EEA countries and Gibraltar. Read more in our article.

Over the course of 2018, the ICO is expected to publish various codes of practice including:

  • Direct marketing code
  • Data sharing code
  • Age appropriate design code
  • Data protection and journalism code
  • Code of practice on the use of personal data in political campaigns.

We also expect ICO guidance including on:

  • Deletion
  • Exemptions to data subject rights
  • Data protection by design

The Morrisons case around vicarious liability for data breaches heads to the Supreme Court this year and the ICO has issued criminal proceedings against SCL Elections Ltd (trading as Cambridge Analytica). Both decisions will be of interest.


We continue to expect the ePrivacy Regulation which will update rules on cookies and direct marketing. It does, however, seem unlikely that this will be finalised before the EU Parliamentary elections in May. As explained in our article on the Global Data Hub, the draft has been considerably watered down and it may well be that the most significant impact in this area has already been felt with the change to GDPR consent which took effect on 25 May 2018.

The EU will continue to progress the Cybersecurity Act which is intended to create an EU-wide cybersecurity certification framework. Informal agreement was reached at trilogue stage and we expect the Regulation to be finalised in the early part of this year.

The Regulation on a framework for the free flow of non-personal data in the EU which prohibits unjustified data localisation requirements, was passed in November 2018 and will apply from 28 May 2019.

The EDPB is likely to issue an Adequacy Decision in respect of Japan and further guidance on issues including international transfers and clinical trials. Draft guidance published at the end of 2018 on the role of the representative, certification and contracts will be finalised.

Data transfers to the US will be under the spotlight again this year. The Irish Supreme Court has given Facebook leave to appeal on a CJEU reference relating to SCCs as a data export mechanism to from the EEA to the USA. If the appeal is denied then we are likely to see a decision from the CJEU on the issue. The Commission has also said that the US must appoint a permanent Ombudsperson to oversee the Privacy Shield by 28 February 2019 although it is not entirely clear what will happen if the appointment is not made by then.

See our predictions for 2019 to read more about hot topics for the coming year in data protection and cybersecurity.

Consumer protection


Consumer Green Paper

The UK government published a Consumer Green Paper in April 2018, identifying issues it hopes to look at in 2019. These include:

  • Addressing the loyalty penalty (the fact that you effectively lose out by not switching).
  • Using data portability to assist consumer switching.
  • Understanding how personalised pricing is used and whether it can harm consumers.
  • Promoting confidence in C2C trading.
  • Improving businesses' terms and conditions.
  • Minimising the use of unfair terms.
  • Improving uptake of ADR.
  • Introducing fines for breaches of consumer law – the government intends to introduce legislation to give civil courts the power to impose financial penalties. Fines will be capped at 10% of an organisation's worldwide turnover.

The government consultation on the Green Paper closed in July 2018 but a response has not yet been published.

CMA sector focus

The CMA will focus on the following markets in 2019:

  • Hotel booking sites
  • Funerals market
  • Loyalty penalties
  • Personalised pricing

The OPSS was established in early 2018, issuing its first strategy in August 2018 together with the new Product Recall Code. The Strategy suggested the OPSS would produce its first full strategic assessment of the product safety landscape by the end of March.


New deal for consumers package

The EC announced a new deal for consumers package in April 2018, intended to strengthen consumer protection enforcement. Two draft Directives were proposed. Progress has been limited to date but we may see more this year:

  • Directive on better enforcement and modernisation of EU consumer protection rules (the Omnibus Directive) – intended to amend the Unfair Contract Terms Directive, the Unfair Commercial Practices Directive, the Consumer Rights Directive and the Price Indication Directive. The draft covers penalties for infringement, transparency requirements for online marketplaces, protection for consumers of free digital services and dual quality of products. The draft is awaiting an EP Parliamentary decision.
  • Directive on representative actions for consumers – will repeal and replace the Consumer Injunctions Directive. The draft will be voted on by the European Parliament in its plenary session.

There are two draft Directives going through the legislative process at the moment. Again, progress has been slow but it is being made.

  • Digital Content Directive – the EU is proposing maximum harmonisation measures to ensure consumer rules and protections apply equally to digital content and goods and that these rules are harmonised as far as possible.
  • Supply of goods Directive – maximum harmonisation of measures relating to the sale of goods.

The major outstanding issues have been:

  • The treatment of 'smart goods' (goods with embedded digital content) and whether they should be treated as goods as a whole or whether the digital element should be treated separately as digital content; and
  • The reluctance of Member States to harmonise limitation periods and change the period before the burden of proof is reversed.

The latest versions suggest that smart goods should be treated simply as goods, and that Member States will have discretion to vary minimum consumer protections, for example, by giving consumers a short term right to reject, as the UK does under the Consumer Rights Act. They may also have discretion to require that defects be notified to the trader within two months of discovery in order to attract remedies.

Online platforms

As part of the Digital Single Market project, the EC has proposed a Regulation on promoting fairness and transparency for business users of online intermediation services. This will introduce new rules governing relations with certain platforms which deal with consumers, and the businesses that use them. Platforms in scope are likely to include search engines, e-commerce marketplaces, social media and price comparison tools. The draft Regulation will address sudden unexplained changes in terms and conditions, account suspensions, delisting of products and ranking issues as well as redress mechanisms. The latest draft also suggests that most favoured nation clauses which prevent business users offering better terms elsewhere will be banned.

The draft Regulation was approved by the lead European Parliament Committee in December and is due to be voted on by the European Parliament in plenary session.

Product liability

The EC concluded that the current Product Liability Directive is broadly fit for purpose but it is launching an expert group to explore the effect of economic and technological developments. The group will assess whether the overall liability regime is adequate to facilitate the uptake of new technologies, and whether the Directive needs to be updated or amended in light of developments in the EU and case law. The Commission intends to publish guidance on the Directive in mid-2019 and a report on whether or not the Directive needs to change.

Commercial and tech


Brexit is definitely slowing down the flow of new legislation which is unconnected to Brexit in the UK although a raft of SIs has been prepared to ensure the legal framework functions (as far as possible) in the event of a no deal.

We do know that the Digital Services tax will apply from 1 April 2019. The tax of 2% will be applied to revenue over £25m derived from certain services linked to UK users provided by online marketplaces, social media platforms and search engines with global revenue of over £500m. Loss-making businesses will not have to pay the tax and those with low profit margins will pay a reduced rate. There is very little detail available at the moment as to how that will be determined. Revenues caught will include advertising revenues generated by social media platforms or search engines, and commission charged by online marketplaces (not revenue from online sales). The DST will not apply to financial or payment services, the provision of online content, sales of software or hardware, nor to television or broadcasting services. The government will be publishing more detail about how the tax will work following its consultation.

Other issues likely to feature this year include Modern Slavery and supply chains, online disinformation, clarity on the use of electronic signatures for deeds, and a possible ban on 'ipso facto' termination clause – clauses that allow one party to terminate a contract due to the insolvency or financial condition of another party.

The employment status of gig economy workers was the subject of a number of high profile cases in 2018 and the Supreme Court will be looking at this when it hears Uber's appeal against the Court of Appeal decision that a group of its drivers should have been treated as workers in 2016. Read more on the Uber decision.


Online disinformation is an increasing focus across the world and the EU is not alone in starting to take this issue seriously. To date, the EU has stopped short of legislating in this area (outside a package of measures designed to prevent interference in EP elections, and to prevent dissemination of terrorist content) but is waiting to see what effect the industry voluntary code of practice has before deciding whether further steps are needed.