Call on 0844 2722322

Direct Access and Referral Barrister.
at St Pauls Chambers, Leeds & Gough Square Chambers, London

General Data Protection Regulation & Brexit | Data Protection Lawyer

General Data Protection Regulation & Brexit | Data Protection Lawyer

On 20 April 2017, Gough Square Chambers held a conference on the potential impact of Brexit on consumer law. Members of chambers considered a number of issues including an overview of current white papers, impact of food law, unfair commercial practices, and consumer credit.

Jeremy Barnett spoke about the impact of the General Data Protection Regulation that comes into force in the UK on 2th May 2018. As Brexit is currently scheduled for the end of March 2019, the question arises what will happen if this new EU Directive no longer applies in the UK.

The new General Data Protection Regulation, follows the EU Directive 95/46/EC adopted in 1995. In summary it imports a number of new obligations into UK law:

  • The Right to be Informed.
  • Right of Access
  • Right of Erasure
  • Right to restrict Processing
  • Right to Data Portability
  • Right to Object
  • Rights in relation to automated decision making and profiling which includes the rights to obtain human intervention, express their point of view, and obtain an explanation and right of challenge.

The first point to make is that whatever happens to UK law on the topic, anyone who does business in the EU will have to comply with the GDPR, so it is likely that the majority of the new regulation will be incorporated into UK legislation, to take effect immediately upon Brexit. There will have to be alterations as European institutions will not involve the UK -such as the new European Data Protection Board. Issues such as cross border inforcement and the ICO  as a supervisory authority will need to be resolved. Commentators feel that the GDPR was designed to capture US tech companies, so there will no doubt be pressure on the ICO to reflect many of the new controls in any new UK version.

One issue that arises is the lack of a definition of 'Due Diliegence' as a defence under the GDPR. In practice, this may have little effect as the new regime introduces Privacy Impact Assessments, Data Protection Audits, Policy Reviews and Activity Reports, which can all be used to demonstrate that steps have been taken to ensure compliance.

The EU Article 29 Working Party is currently looking at a the detail around issues that are anticipated to arise with the introduction of the GDPR. They have recently reported on the following issues:

  • The is scope for confusion around the new 'Privacy Shield' which was designed to encourage cooperation with the USA,
  • Guidelines on Data Portability
  • Guidelines on the new Data Protection Officers - who needs to appoint etc.
  • Guidelines on Lead Supervising Authorities where a multi national company is based in more than one EU state.

One area that will require consideration by the ICO is the EU Safe Zone, which deals with transfers of information outside the EU zone. One the UK leaves the EU steps will have to be taken to mirror the adequacey provisions, with a probable result that UK will apply to become an EU Commission approved 'white listed country' which is deemed to be compliant without the need for additional measures to be introduced.

The EU Privacy Shield, mentioned above, was launched in 2016 for transatlantic data flows. This is a new framework that protects the rights of anyone in the EU whose personal data is transferred to the US as well as bringing legal clarity for businesses relying on transatlantic data transfers. It is interesting to note that there is a dispute resolution process as well as clear safeguards in respect of transparency around US government access to material.

Although further guidance is expected from the EU Article 29 working party on a number of issues, it is fair to assume that the UK will adopt as much of the GDPR as it is relevant and appropriate. Commentators and representatives of the ICO agree that there will have to be consideration of some form of 'enhanced equivalence' as with Financial Services. 

One major outstanding issue to be resolved by the ICO and the working party, is the definition of 'Consent' as opposed to 'Specific Consent' which must be It must be 'freely given, specific, informed and unambiguous'. The author is curently involved in a number of cases involving Claims Management Companies who face regulatory action from the Claims Management Regulation Unit. The battleground in these cases, where substantial fines are imposed which are subject to appeal before the First Tier Tribunal, consists of two issues - what was said on the telephone by the call centre operatives ( which is often the subject of dispute) and also whether or not the clients gave their consent, often to other third party providers of lists of names) to be called, or had notifed the TPS that they wished to avoid future calls.

In conclusion, it can be seen that there is a great deal of uncertaintly around the detail of the new regime that is to be introduced by the GDPR, Brexit merely introduces a further layer of uncertainty around the entire subject. A further issue that has come to light is who will pick up the bill for the enhanced role of regulation that the ICO is likely to take on from the various EU institutions. It is likely that this enhanced cost of regulation will be collected either in increased costs of registration or by the introducton of higher fines as the result of regulatory action, as has been seen in other areas of interest, such as the new Fundraising Regulator. It has already been noted that the Charity Sector has seen large fines being imposed by the ICO for new types of offences such as financial profiling - see blog article dated 7th April 2017

Click Here for other slides from the Gough Square Chambers Seminar on Brexit. 

For any advice and assistance for issues like these please do call Jeremy on 0844 2722322 or submit a comment below. Jeremy will come back to you at the earliest convenience.

Comment on this article

security code

Please enter the code seen in the image

Copyright © 2018. All rights reserved. Design & Development by ATB Creative