Recently Datonomy attended the second of two conferences held by Exeter University addressing the UK’s place in the Digital Single Market. The day, hosted at Portcullis House, focused on data protection and privacy policy with viewpoints provided by both practitioners and stakeholders. Of particular relevance to Datonomy readers were the panels’ opinions on the ePrivacy Directive review, the GDPR, and the new Investigatory Powers Act (recently explored by Datonomy here).

Draft ePrivacy Regulation on the horizon

Perhaps the headline news from the day was the strong support for the review of the ePrivacy Directive to result in the implementation of a new ePrivacy Regulation (therefore directly effective). It was argued the Regulation should extend the scope of the current ePrivacy Directive to cover new tech including, for example, OTT Providers, publically used private networks and the Internet of Things.

According to the European Commission the draft proposal is expected to be published by the end of 2016, with May 2018 targeted as an implementation date- to align with the deadline for transposing the GDPR into national law of 6 May 2018. Time will tell whether this short turnaround is overly ambitious.

Does this concern UK organisations?

It remains highly unlikely that the UK will have left the EU by May 2018 and therefore, similar to the GDPR, UK organisations should prepare for its implementation accordingly.

GDPR: Brexit and future UK adequacy

As to the GDPR, discussion focussed on how the UK will treat the Regulation post Brexit. Described as a ‘rock in times of change’ and ‘an industry gold standard’, the benefits of remaining in the GDPR were clear: if a business is compliant, then they are likely compliant anywhere in the world.

However, also discussed was whether the Regulation’s high compliance threshold could be unduly onerous to SMEs: for example Article 33, which gives businesses 72 hours to notify a breach after having become aware of it. It was argued that the Regulation’s strict provisions may lead the UK, as a proponent of a pragmatic and risk based approach to the GDPR during its drafting, to want to nuance the Regulation, or even opt out altogether.

Is ‘opting-out’ a feasible option?

The feasibility of an opt out decision would hinge on the UK being declared by the European Commission as providing an ‘adequate’ level of personal data protection to European data transfers, per Article 45. Given the fact that Canada and New Zealand have adequacy already, it is likely that the EC would grant the UK adequacy, but as evidenced by the current challenge to the EU-US Privacy Shield, any adequacy decision would be likely subject to challenge.

Investigatory Powers Act 2016

And finally, the recently enacted Investigatory Powers Act was met with healthy scepticism by the vast majority of speakers. Amongst other things, it was questioned whether the controversial bulk data retention provisions in the IPA would ever pass an ‘adequacy test’. The 2014 DRI Ireland case was highlighted (explored by Datonomy here) whereby the Data Retention Directive was struck down, indicating that the bulk retention of data is potentially a breach of both domestic and international human rights standards. Going forward, it seems likely that businesses can expect to see multiple challenges to the new Act.

Datonomy will continue to monitor the progress of all these topical developments and bring you timely updates.

Leave a Reply

Your email address will not be published. Required fields are marked *