I am making an assumption that regardless of whether the UK votes in the referendum on 23 June to stay in or leave the European Union, the EU Data Protection Regulation, adopted in April, will still apply in the UK on 25th May 2018, just as it will throughout the European Union. My reason is that companies want one set of rules across the European Economic Area, the EU plus Norway, Iceland and Liechtenstein. Consumers will want to embrace the stronger rights which the Regulation gives them, helped by representative consumer organisations and competition authorities where necessary. If the UK leaves the European Union, the government would presumably apply for an EU “adequacy” declaration. But does the UK want to join the queue behind South Korea and probably Japan?
Chief Executive, Privacy Laws & Business
View Stuart’s follow up article here: How will Brexit have an impact on the UK’s Data Protection Act?
The European Parliament adopted the EU Data Protection Regulation on 14 April, it is now in force, and its provisions will be directly applicable in all EU Member States from 25 May 2018.
“The general Data Protection Regulation makes a high, uniform level of data protection throughout the EU a reality. This is a great success for the European Parliament and a fierce European ‘yes’ to strong consumer rights and competition in the digital age. Citizens will be able to decide for themselves which personal information they want to share”, said Jan Philipp Albrecht, The German Green MEP, who steered the legislation through the European Parliament.
“The regulation will also create clarity for businesses by establishing a single law across the EU. The new law creates confidence, legal certainty and fairer competition”, he added. The new rules include provisions on:
- a right to be forgotten,
- “clear and affirmative consent” to the processing of private data by the person concerned,
- a right to transfer your data to another service provider,
- the right to know when your data has been hacked,
- ensuring that privacy policies are explained in clear and understandable language, and
- stronger enforcement and fines up to 4% of firms’ total worldwide annual turnover, as a deterrent to breaking the rules.
What about organisations operating wholly within the UK?
Would the EU DP Regulation be such an additional burden? Christopher Graham, the Information Commissioner has used his discretion to make the law operate in the UK in a less bureaucratic manner than in some other countries. We will wait and see how this discretion extends into the future when Elizabeth Denham takes over from Christopher Graham after 28 June. Our editor and I attended the Department of Culture, Media and Sport House of Commons Select Committee hearing in Westminster on 28 April when Ms. Denham was subjected to intensive questioning by the MPs. Privacy Laws & Business (PL&B) was the first with the news of her appointment the next morning.
The UK’s room for manoeuvre
Iain Bourne, Data Protection Policy Delivery Group Manager at the Information Commissioner’s Office will shine light on the derogations, this room for manoeuvre, for interpreting the EU Data Protection Regulation in the UK when he addresses this issue on 4th July at Great Expectations, PL&B’s 29th Annual International Conference in Cambridge. On the same day, the UK’s Data Protection Minister, Baroness Neville-Rolfe, will give the conference the government’s perspective on the EU Data Protection Regulation package. There are many sessions specifically covering UK issues in addition to the international ones.
The EU Data Protection Regulation’s “in force” and “apply” dates
When the EU Data Protection Regulation’s timetable was announced on the European Commission’s website at http://ec.europa.eu/justice/data-protection/index_en.htm the wording raised more questions than it answered. It states:
“On 4 May 2016, the official texts of the Regulation and the Directive have been published in the EU Official Journal in all the official languages. While the Regulation will enter into force on 24 May 2016, it shall apply from 25 May 2018.”
After constantly being informed that we all had two years to adjust, it seemed rather scary to learn that the Regulation would enter into force within a few days. Therefore, in order to understand the difference between “in force” and “apply” I went to the top and asked Bruno Gencarelli, Head of the Data Protection Unit, Justice, the European Commission, for an explanation.
PL&B’s Question: What do the terms “in force” and “apply” mean? Usually, the term “in force” means when the law applies to the people subject to the law. But as the companies’ duties and the individuals’ rights begin on 25 May 2018, these words do not seems to match their plain meaning.
Does “in force” mean in this context that the two year timetable begins on 24 May 2016 so that everyone involved must start preparing? If not, what does “in force” mean in this context?
The European Commission’s answer in less than an hour! This is not unusual in EU law. The texts will be fully applicable to companies, and individuals will be able to invoke their rights in two years time. In the meantime, “in force” means that EU Member States cannot take any measure compromising or prejudicing the goals and content of the Regulation or the Directive and, for example, have to abrogate any rule that is contrary to the Regulation/Directive.
It was decided to provide for a two-year transition to allow all interested parties (Member States, Data Protection Authorities, companies etc.) to prepare themselves for the full application of the new rules. This was already part of our original proposal.
PL&B enables you to engage directly with the decision-makers
One of the benefits of subscribing to PL&B Reports www.privacylaws.com/Publications/ and attending PL&B events is that you have an unrivalled opportunity to engage directly with policymakers and regulators both in sessions and informally on:
4-6 July at Great Expectations, PL&B’s 29th Annual International Conference in Cambridge with 40+ speakers from 16 countries – www.privacylaws.com/ac29 where you will meet national and EU level data protection regulators and policy makers, and
28 September in Birmingham on the impact of the EU DP Regulation in the UK – http://www.privacylaws.com/Events/Other/EU-Data-Protection-Regulation-Time-to-get-organised-in-the-UK/.
By July, we will know the outcome of the referendum, Christopher Graham, the UK’s Information Commissioner, will have passed the baton to Elizabeth Denham who will have started work as the UK’s Information Commissioner. This is the first time we are aware that any Data Protection or Freedom of Information Commissioner anywhere has been appointed from a different country, which is sure to give her a fresh perspective.
Stewart Dresner has written on data protection/privacy and freedom of information since 1975 when he initiated a research project on this subject at the UK Consumers Association. He established Privacy Laws & Business in 1987. Its first service was the Privacy Laws & Business International Newsletter which has now developed to become the hub of a comprehensive global information service, currently on 120+ countries. Privacy Laws & Business services include consulting, conferences, training, recruitment, the Privacy Laws & Business UK Report (which also covers the Freedom of Information Act), and the Privacy Officers Network. Privacy Laws & Business has clients in over 50 countries. Stewart has spoken on data protection/privacy law at conferences in around 20 countries. The Privacy Laws & Business website, www.privacylaws.com provides details of the firm’s services and links to privacy information worldwide.
Copyright Stewart Dresner, Chief Executive, Privacy Laws & Business