General Data Protection Regulation (GDPR): The GDPR will take effect across the EU from 25 May 2018. The GDPR introduces some significant changes that have the potential to have a profound impact on many organisations that collect and use information about individuals.
Over the next few weeks and months, we are expecting individual EU Member States to implement the requirements of the GDPR into national law, particularly in areas in which Member States are able to derogate from the requirements of the GDPR (such as in relation to the use of special categories of personal data and transfers outside the EEA). We await the outcome of the UK Government’s consultation on the potential derogations to be adopted in the UK, which closed on 10 May 2017. We are also expecting further guidance to be issued by the Information Commissioner’s Office (ICO) and the Article 29 Working Party (WP29).
The WP29’s Action Plan for 2017, published on 3 January 2017, includes the intention to issue guidance on: administrative fines; certification; profiling; consent; transparency; notification of personal data breaches and tools for legitimising transfers outside the EEA.
In July 2017, the ICO expects to release the final version of its draft guidance on consent under the GDPR. It also intends to publish guidance on contracts and liability, and is considering the implications of the GDPR for profiling and the processing of personal data relating to children.
You can find out more about the GDPR on Osborne Clarke’s dedicated GDPR Feature page.
Brexit: In February 2017, the UK Government confirmed that the UK would maintain a GDPR-equivalent regime post-Brexit. The UK will need to convince the European Commission that the broad scope of the UK Government’s surveillance powers in the Investigatory Powers Act 2016 do not undermine the level of protection afforded to personal data in the UK, if the UK wants to be deemed adequate for the purposes of facilitating EU-UK data transfers.
Data transfers outside the EEA: We await the Irish High Court’s judgment in the case of Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems.
The Data Protection Commissioner (DPC) has asked the Irish High Court to make a Preliminary Reference to the Court of Justice of the European Union (CJEU) as to the validity of the standard contractual clauses for legitimising transfers of personal data outside the EEA (otherwise known as the “Model Clauses”).
The intended referral to the CJEU does not mean that the Model Clauses are now invalid. It is likely to take some time for the CJEU to pass judgment on the Model Clauses so until we hear anything different (from the CJEU or from regulators) the Model Clauses should continue to be used.
e-Privacy Regulation: On 10 January 2017, the European Commission published its proposal for a Regulation on Privacy and Electronic Communications (e-Privacy Regulation) to replace the existing e-Privacy Directive (implemented in the UK by the Privacy and Electronic Communications Regulations 2003). It aims to reinforce trust and security in digital services in the EU, by ensuring a high level of protection for privacy and confidentiality in the electronic communications sector, as well as seeking to ensure the free flow of movement of personal data and of electronic communications equipment and services in the EU.
The draft e-Privacy Regulation introduces significant reforms (summarised here), including in relation to the (much broader) scope and territorial application of the rules, the processing of “electronic communications data”, and the so-called ‘cookies’ rules (which, of course, cover a much wider range of technologies and activities than simply posting and accessing cookies).
Both the WP29 and the European Data Protection Supervisor have published their opinions on the draft e-Privacy Regulation. The final text of the e-Privacy Regulation is expected later this year. The original ambition of the European Commission was for the e-Privacy Regulation to come into effect on 25 May 2018 – the same date as the GDPR, although that does seem a little optimistic.
In focus: Personal Liability
Data Protection Act 1998 (DPA)
Generally, directors, officers and employees of companies have no personal liability for breaches of the DPA that are committed by their companies as data controllers. However, this does not remove the ability for individuals to commit specific offences personally.
For example, under section 55 of the DPA, it is a criminal offence to knowingly or recklessly, without the consent of the controller:
- obtain or disclose personal data (or the information contained in personal data); or
- procure the disclosure to another person of the information contained in personal data.
There are plenty of (very recent) examples of the ICO prosecuting individuals under section 55 of the DPA, although fines tend to be low. A typical, recent, example from April 2017 involved a former clerical officer being fined £650 and ordered to pay costs of £654.75 and a victim surcharge of £65 after accessing the sensitive medical records of two estranged family members without the consent of the data controller. The data controller was the individual’s former employer.
Privacy and Electronic Communications Regulations 2003 – Direct marketing
In response to the controversy over directors’ lack of accountability, the UK Government announced its intention to give additional powers to the ICO to fine company directors up to £500,000 for certain breaches of the PECR. This is in a move to tackle the trend of using liquidation as a means for companies to escape paying fines.
The plans were expected to be implemented from spring 2017, but have since been delayed.
The GDPR retains the position that directors, officers and employees of companies have no personal liability for breaches of the GDPR. Under the GDPR, there is no equivalent provision to section 55 of the DPA.
However, sanctions, powers and the general conditions for imposing administrative fines are all areas in which Member States are able to derogate from the GDPR. In particular, Recital 149 of the GDPR allows Member States to lay down the rules on criminal penalties for infringements of the GDPR.
The outcome of the UK Government’s consultation on the potential derogations to be adopted in the UK (referred to above) should shed some further light on this issue. We would expect, at the very least, that the UK will seek to include an equivalent criminal offence to that which is contained in section 55 of the existing DPA.
Dates for the diary
|Spring 2017||New ICO enforcement power – £500,000 fine against company directors under PECR.|
|Summer 2017||ICO guidance on consent – final version expected to be published following the consultation, which closed in March.|
|Summer 2017||Summary of responses expected from the ICO’s feedback request in relation to profiling under the GDPR, which closed in April.|
|Summer 2017||Irish High Court judgment in the case of Data Protection Commissioner v Facebook Ireland Limited and Maximilian Schrems expected (in relation to the Model Clauses).|
|Throughout 2017||Further guidance from the WP29 expected on various aspects of the GDPR (including administrative fines, certification, profiling, consent, transparency, notification of personal data breaches and tools for legitimising transfers outside the EEA).|
|Summer/Autumn 2017||Final text of the e-Privacy Regulation expected to be approved.|
|25 May 2018||The e-Privacy Regulation (once finalised) is anticipated to come into effect.|
|25 May 2018||The GDPR comes into effect.|