Category: EU DP Regulation

The Data Protection and Digital Information (No.2) Bill: How will it change the UK GDPR?

On 8th March 2023, the UK Department for Science, Information and Technology (DSIT) published the Data Protection and Digital Information (No.2) Bill (“the new Bill”). If enacted, it will make changes to the UK GDPR, the Data Protection Act 2018 and Privacy and Electronic Communications (EC Directive) Regulations 2003 (“PECR”).

According to the DSIT press release, the Bill will result in a “new common-sense-led UK version of the EU’s GDPR [and will] will reduce costs and burdens for British businesses and charities, remove barriers to international trade and cut the number of repetitive data collection pop-ups online.” It also claims that the reforms are “expected to unlock £4.7 billion in savings for the UK economy over the next 10 years.” How this figure has been calculated is not explained but we have been here before! Remember the red bus?

How did we get here?

This is the second version of a bill designed to reform the UK data protection regime. In July 2022, the Government published the Data Protection and Digital Information Bill (“the previous Bill”). This was paused in September 2022 so ministers could engage in “a co-design process with business leaders and data experts” and move away from the “one-size-fits-all’ approach of European Union’s GDPR.” On 3rd October 2022, during the Conservative Party Conference, Michelle Donelan, then the new Secretary for State for Digital, Culture, Media and Sport (DCMS), made a speech announcing a plan to replace the UK GDPR with a new “British data protection system”. Another full consultation round was expected but never materialised.

The previous Bill have now been withdrawn. We will provide analysis and updates on the new Bill, as it progresses through Parliament, over the coming months. An initial summary of the key proposals, both old and new, is set out below:

What remains the same from the original bill?

Many of the proposals in the new Bill are the same as contained in the previous Bill. For a detailed analysis please read our previous blog post. Here is a summary:

  • Amended Definition of Personal Data: This proposed change would limit the assessment of identifiability of data to the controller or processor, and persons who are likely to receive the information, rather than anyone in the world. 

  • Vexatious Data Subject Requests: The terms “manifestly unfounded” or “excessive” requests, in Article 12 of the UK GDPR, will be replaced with “vexatious” or “excessive” requests. Explanation and examples of such requests will also be included.

  • Data Subject Complaints: Data Controllers will be required to acknowledge receipt of Data Subject complaints within 30 days and respond substantively “without undue delay”. The ICO will be entitled not to accept a complaint, if a Data Subject has not made a complaint to the controller first.

  • Data Protection Officer: The obligation for some controllers and processors to appoint a Data Protection Officer (DPO) will be removed. However, public bodies and those who carry out processing likely to result in a “high risk” to individuals will be required to designate a senior manager as a “Senior Responsible Individual”. 

  • Data Protection Impact Assessments: These will be replaced by leaner and less prescriptive “Assessments of High Risk Processing”. 

  • International Transfers: There will be a new approach to the test for adequacy applied by the UK Government to countries (and international organisations) and when Data Controllers are carrying out a Transfer Impact Assessment or TIA. The threshold for this new “data protection test” will be whether a jurisdiction offers protection that is “not materially lower” than under the UK GDPR. (For more detail see also our forthcoming International Transfers webinar).
  • The Information Commission: The Information Commissioner’s Office will transform into the Information Commission; a corporate body with a chief executive.

  • Business Data: The Secretary of State and the Treasury will be given the power to issue regulations requiring “data holders” to make available “customer data” and “business data” to customers or third parties, as well as regulations requiring certain processing, such as collection and retention, of such data. 

  • PECR: Cookies will be allowed to be used without consent for the purposes of web analytics and to install automatic software updates. Furthermore non-commercial organisations (e.g. charities and political parties) will be able to rely on the “soft opt-in” for direct marketing purposes, if they have obtained contact details from an individual expressing interest. Finally, there will be an increase to the fines from the current maximum of £500,000 to UK GDPR levels i.e.  up to £17.5m of 4% of global annual turnover (whichever is higher). 

What has changed?

The new Bill does not make any radical changes to the previous Bill; rather it clarifies some points and provides a bit more flexibility in other areas. The main changes are summarised below:

  • Scientific Research: The definition of scientific research is amended so that it now includes research for the purposes of commercial activity.
    This expands the circumstances in which processing for research purposes may be undertaken, providing a broader consent mechanism and exemption to the fair processing requirement.
  • Legitimate Interests: The previous Bill proposed that businesses could rely on legitimate interests (Article 6 lawful basis) without the requirement to conduct a balancing test against the rights and freedoms of data subjects where those legitimate interests are “recognised”. These “recognised” legitimate interests cover purposes for processing such as national security, public security, defence, emergencies, preventing crime, safeguarding and democratic engagement.  The new Bill, whilst keeping the above changes, introduces a non-exhaustive list of cases where organisations may rely on the “legitimate interests” legal basis, including for the purposes of direct marketing, transferring data within the organisation for administrative purposes and for the purposes of ensuring the security of network and information systems; although a balancing exercise still needs to be conducted in these cases. 

  • Automated Decision Making: The previous Bill clarified that its proposed restrictions on automated decision-making under Article 22 UK GDPR should only apply to decisions that are a result of automated processing without “meaningful human involvement”. The new Bill states that profiling will be a relevant factor in the assessment as to whether there has been meaningful human involvement in a decision. 
  • Records of Processing Activities (ROPA): The previous Bill streamlined the required content of ROPAs. The new Bill exempts all controllers and processors from the duty to maintain a ROPA unless they are carrying out high risk processing activities. 

The Impact

The EU conducts a review of adequacy with the UK every four years; the next adequacy decision is due on 27th June 2025. Some commentators have suggested that the changes may jeopardise the UK’s adequate status and so impact the free flow of data between the UK and EU. We disagree. Although the Government states that the new Bill is “a new system of data protection”, it still retains the UK GDPR’s structure and fundamental obligations. Some tinkering around the edges is not really going to have much of an impact (see the helpful redline version of the new Bill produced by the good people at Hogen Lovells). Organisations that are already compliant with the UK GDPR will not be required to make any major changes to their systems and processes. 

The new Bill has been introduced at the first reading stage. The second reading, due to be scheduled within the next few weeks, which will be the first time the Government’s data protection reforms will be debated in Parliament. We expect the Bill to be passed in a form similar to the one now published and come into force later this year.

This and other data protection developments will be discussed in detail on our forthcoming  DP Bill workshop workshop. There are only 3 places left on our next Advanced Certificate in GDPR Practice

2024 UPDATE:

In an amendment made in the House of Commons, clause 12 of the Bill amend Article 15 of the UK GDPR so that when responding to a subject access request the Data Subject the data subject is only entitled “to such confirmation, personal data and other information as the controller is able to provide based on a reasonable and proportionate search for the personal data and other information”.

The Commissioner has expressed reservations about the adequacy of safeguards in the current draft of the bill, especially in terms of personal data handling for social security purposes. https://actnowtraining.blog/2023/12/21/data-protection-bill-faces-scrutinycommissioner-calls-for-tighter-safeguards/

The New EU Data Governance Act

On 17th May 2022, The Council of the European Union adopted the Data Governance Act (DGA) or Regulation on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (2020/0340 (COD) to give its full title. The Act aims to boost data sharing in the EU allowing companies to have access to more data to develop new products and services. 

The DGA will achieve its aims through measures designed to increase trust in relation to data sharing, creating new rules on the neutrality of data marketplaces and facilitating the reuse of public sector data. The European Commission says in its Questions and Answers document

The economic and societal potential of data use is enormous: it can enable new products and services based on novel technologies, make production more efficient, and provide tools for combatting societal challenges“.

Application

The DGA will increase the amount of data available for re-use within the EU by allowing public sector data to be used for purposes different than the ones for which it was originally collected. The Act will also create sector-specific data spaces to enable the sharing of data within a specific sector e.g. transport, health, energy or agriculture.

Data is defined as “any digital representation of acts, facts or information and any compilation of such acts, facts or information, including in the form of sound, visual or audiovisual recording” that is held by public sector bodies and which is not subject to the Open Data Directive but is subject to the rights of others. Examples include data generated by GPS and healthcare data, which if put to productive use, could contribute to improving the quality of services. The Commission estimates that the Act could increase the economic value of data by up to €11 billion by 2028.

Each EU Member State will be required to establish a supervisory authority to act as a single information point providing assistance to governments. They will also be required to establish a register of available public sector data. The European Data Innovation Board (see later) will have oversight responsibilities and maintain a central register of available DGA Data. 

On first reading the DGA seems similar to The Re-use of Public Sector Information Regulations 2015 which implemented Directive 2013/37/EU. The aim of the latter was to remove obstacles that stood in the way of re-using public sector information. However the DGA goes much further. 

Data Intermediary Services 

The European Commission believes that, in order to encourage individuals to allow their data to be shared, they should trust the process by which such data is handled. To this end, the DGA creates data sharing service providers known as “data intermediaries”, which will handle the sharing of data by individuals, public bodies and private companies. The idea is to provide an alternative to the existing major tech platforms.

To uphold trust in data intermediaries, the DGA puts in place several protective measures. Firstly, intermediaries will have to notify public authorities of their intention to provide data-sharing services. Secondly, they will have to commit to the protection of sensitive and confidential data. Finally, the DGA imposes strict requirements to ensure the intermediaries’ neutrality. These providers will have to distinguish their data sharing services from other commercial operations and are prohibited from using the shared data for any other purposes. 

Data Altruism

The DGA encourages data altruism. This where data subjects (or holders of non-personal data) consent to their data being used for the benefit of society e.g. scientific research purposes or improving public services. Organisations who participate in these activities will be entered into a register held by the relevant Member State’s supervisory authority. In order to share data for these purposes, a data altruism consent form will be used to obtain data subjects’ consent.

The DGA will also create a European Data Innovation Board. Its missions would be to oversee the data sharing service providers (the data intermediaries) and provide advice on best practices for data sharing.

The UK

Brexit means that the DGA will not apply in the UK, although it clearly may affect UK businesses doing business in the EU. It remains to be seen whether the UK will take similar approach although it notable that UK proposals for amending GDPR include “amending the law to facilitate innovative re-use of data for different purposes and by different data controllers.”

The DGA will shortly be published in the Official Journal of the European Union and enter into force 20 days after publication. The new rules will apply 15 months thereafter. To further encourage data sharing, on 23 February 2022 the European Commission proposed a Data Act that is currently being worked on.

This and other GDPR developments will be discussed in detail on our forthcoming GDPR Update workshop. We also have a few places left on our Advanced Certificate in GDPR Practice course starting in September.

Act Now launches Law Enforcement Data Processing Policy Pack (Part 3 DPA 2018)

LED Policy PackOrganisations with a role in preventing and detecting crime (e.g. councils, police, regulatory bodies etc.) not only have to comply with GDPR but also Part 3 of the Data Protection Act 2018 (DPA 2018) which applies to the processing of personal data for law enforcement purposes. This is a complex task requiring, amongst other things, a set of policies, procedures and notices; a daunting task especially for organisations “starting from scratch”.

Act Now has applied its 16 years of information governance experience to create a policy pack containing essential document templates to help you meet the requirements of the DPA 2018. It will save you hours of drafting and research time. The pack includes, amongst other things, template privacy notices as well as procedures for data security and data breach reporting. Security is a very hot topic after the recent ICO fine notices issued against British Airways and Marriott International.

We have also included template letters to deal with Data Subjects’ rights requests, including subject access. This is another hot topic. On 25thJune 2019, Enforcement Notices (under Part 3 of the DPA) were served by the ICO on the Metropolitan Police, for sustained failures to comply with individuals’ rights in respect of subject access requests.

Contents

Template policies

  • Data Protection Policy – providing an overarching framework for compliant processing of personal data for law enforcement purposes as required under s56 DPA 2018
  • Sensitive Data Processing Policy – as required under s42 of DPA 2018

Procedures

  • Data breach reporting
  • Data Protection Impact Assessment template
  • Data Subject rights request response templates
  • System requirements specification – Summary of requirements to meet the audit and record keeping requirements of Part 3 of DPA 2018
  • International transfers

Privacy Notice templates

  • General (for publication)
  • Specific (for tailoring privacy information to particular individuals as required by s 44(2) of DPA 2018)

Records and Tracking logs

  • Information Asset Register
  • Record of Processing Activity (s 61)
  • Record of Sensitive Data processing
  • Data Subject Rights request tracker
  • Information security incident log
  • Personal data breach log
  • Third country transfer logs
  • Data protection advice log

The above documents are inter-related and contain cross references, particularly across the various tracker logs.

The documents are designed to be as simple as possible while meeting the statutory requirements placed on Data Controllers. They are available as an instant download (in Word Format) following payment. Sequential files and names make locating each document very easy.

Click here to read sample documents.

For only £249 plus VAT (Special Introductory Price), the policy pack gives a useful starting point for organisations of all sizes who have a law enforcement function and will save hours of drafting time and research time.

This LED processing policy pack complements the Act Now GDPR Policy Pack which covers the general processing of personal data. The GDPR policy pack has been bought by public and private organisations including local authorities, utility companies, universities and charities

To learn more about Part 3 of the DPA 2018, see our full day workshop and webinar on this topic. For a full GDPR update please see our new advanced workshop.

The BA and Marriot Data Breaches: The ICO takes its gloves off!

sam-truong-dan--rF4kuvgHhU-unsplash.jpg

This week we saw the Information Commissioner’s Office (ICO) finally signal its intention to use its powers to issue to issue Monetary Penalty Notices (fines) under the General Data Protection Regulation (GDPR).  Two Notices of Intent have been issued.  Both relate to cyber security incidents but are for different reasons and amounts.

Under the GDPR, supplemented by the Data Protection Act 2018 (DPA18), the ICO has a number of statutory duties and powers with regards to regulating Controllers’ and Processors’ obligations. Article 58 gives the ICO its powers. Article 83(2) sets out the criteria that have to be taken into account by the ICO when issuing fines. These include the nature, gravity and duration of the breach, the number of data subjects affected, level of damage and action taken to mitigate the damage. All this is outlined in the ICO’s Enforcement Policy.

British Airways Notice of Intent – £183 Million

According to the statement from the ICO:

“The proposed fine relates to a cyber incident notified to the ICO by British Airways in September 2018. This incident in part involved user traffic to the British Airways website being diverted to a fraudulent site. Through this false site, customer details were harvested by the attackers. Personal data of approximately 500,000 customers were compromised in this incident, which is believed to have begun in June 2018.

The ICO’s investigation has found that a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.”

According to various sources at the time, for a period of two weeks BA’s systems were compromised. Hackers took the personal and financial details of customers who made, or changed, flight bookings on www.BA.com or its app during that time. Names, email addresses and credit card information were stolen – including card numbers, expiration dates and the three-digit CVC code required to authorise payments.

According to an article from wired.co.uk, the BA vulnerability was a well-known one and could have been prevented with a simple fix. While we don’t know the exact details yet, perhaps that is why the ICO wants to fine BA a whopping £183 Million!

What this also appears to show is that because the BA breach resulted in customers of BA being stuck in various holiday locations unable to get home the effect on “the rights and freedoms of individuals” was certainly far more concrete (and some could say worse) than what we currently know about the Marriott data breach (see below). Perhaps this is why the fine amount is so high.

As soon as the notice of intent was filed BA announced they were going to appeal, either because they see themselves as the victim here (as stated in various press statements about the incident) or they believe that the ICO has acted disproportionately. We shall see…

Marriott Hotels Notice of Intent – £99 Million

According to the statement from the ICO:

“The proposed fine relates to a cyber incident which was notified to the ICO by Marriott in November 2018. A variety of personal data contained in approximately 339 million guest records globally were exposed by the incident, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA). Seven million related to UK residents.

It is believed the vulnerability began when the systems of the Starwood hotels group were compromised in 2014. Marriott subsequently acquired Starwood in 2016, but the exposure of customer information was not discovered until 2018. The ICO’s investigation found that Marriott failed to undertake sufficient due diligence when it bought Starwood and should also have done more to secure its systems.”

According to various sources (see the BBC article at the time) this specific cyber security breach related to one of the booking databases belonging to Starwood hotels. A vulnerability in the database was exploited in 2014 and has been exploited ever since then until an internal security tool detected suspicious activity in 2018. The database in question contained records of up to 500 million customers of which 339 million were compromised including names, addresses and encrypted payment card information.

In  2016 Starwood (and all its assets and liabilities) were bought by Marriott. Part of the ICO statement accuses Marriott of not completing effective due diligence on Starwood and that appears to be the main reason for the intention to fine. One would conclude therefore that when purchasing a company a full security assessment and penetration test on the IT network and systems should be completed.  Marriott have also announced their intention to appeal the notice of intent. Not surprising when it is £99 Million!

What does this mean?

As with the Metropolitan Police announcement a few weeks ago, I’m sure these announcements will go down in Data Protection history but until the action is confirmed and the money exchanges accounts, what it exactly means for the regulatory landscape is yet to be seen. These are just intentions to fine, not the actual fine itself. The press (and some people that still don’t understand Data Protection when they claim to) got all excited about it at the time (and were corrected by many on social media). I think someone used the phrase (which I now cannot find so I can’t credit you – sorry!) “it’s basically like me saying I have an intention to buy my lunch”. But your lunch currently isn’t bought, and you are, indeed, still hungry!

What it means in terms of what you can practically do in your day jobs however is quite clear. GDPR emphasises the need to have ‘effective organisational and technical measures’. So, if you are going to buy a business (or just build a new system) ensure you have done your due diligence and testing on it to help mitigate any potential risks. You can’t catch everything (especially in a cyber security context) but at the very least you must be seen to be trying. Doing nothing, or ‘ignorance is bliss’, will ultimately land you in trouble.

Secure systems, privacy by design, effective cyber security and a half decent data culture will help you on your path and is a fair size more beneficial than the world of ignorance.

Scott Sammons is a trainer with Act Now. More on these and other developments will be in our GDPR Update webinar and full day workshop presented by Ibrahim Hasan. Looking for a GDPR qualification, our practitioner certificate is the best option.

Photo: Thanks to Sam Truong Dan for making this photo available freely on @unsplash 🎁 https://unsplash.com/photos/-rF4kuvgHhU 

The Data Protection Act 2018 – Pre and Post Brexit

adobestock_85090086.jpeg

The Data Protection Act 2018 (DPA 2018) came into force on 25th May 2018, alongside the General Data Protection Regulation (GDPR). Much has been written about it, both right and wrong.

The purpose of the DPA 2018 is nicely summarised by the Information Commissioner in her blog:

“The new Act updates data protection laws in the UK, and sits alongside the General Data Protection Regulation (GDPR) … The Act implements the EU Law Enforcement Directive, as well as extending domestic data protection laws to areas which are not covered by the GDPR.”

Part 2 of the Act supplements the GDPR i.e. it fills in some of the gaps by enacting “derogations”; where Members states are allowed to make their own rules e.g. about exemptions. This part has to be read alongside the GDPR.

Chapter 3 of Part 2 applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply. For example, where personal data processing is related to immigration and to manual unstructured data (held by a public authority covered by FOI). The Act applies GDPR standards to such data whilst adjusting those that would not work in the national context.

Part 3 of the Act regulates the processing of personal data for law enforcement purposes implementing the Law Enforcement Directive (EU) 2016/680. The provisions here are a cut down version of GDPR. This part will only apply to competent authorities i.e. those that process personal data for the purposes of criminal offences or threats to public security e.g. the police, trading standards departments etc.

Read a full summary of the Act here.

What will happen to the Act and indeed GDPR post Brexit? Well this depends on whether we have a deal or no deal! More on our blog post here.

Act Now’s series of workshops on the DPA 2018 are proving very popular amongst GDPR practitioners. The next course in Belfast is fully booked. Forthcoming venues include London, Edinburgh, Leeds and Manchester. Our experts will explain the Act in detail in plain English busting some myths on the way and discussing what lies ahead in the post Brexit situation.

Book early to avoid disappointment. Click on the flyer below to see what we cover on the course.

DPA Image for Blog

Ibrahim Hasan is a solicitor and director of Act Now Training (www.actnow.org.uk)

GDPR Practitioner Certificate: New Course For London

Act Now The GDPR Programme Mailing 250219_Page_4

By popular demand Act Now Training has added an extra course in London for its GDPR Practitioner CertificateThis course is aimed at those undertaking the role of Data Protection Officer under GDPR whether in the public or the private sector.It will teach delegates essential GDPR skills and knowledge.

The course takes place over four days (one day per week) and involves lectures, assessments and exercises. This is followed by a written assessment. Candidates are then required to complete a practical project (in their own time) to achieve the certificate.

The new London course starts on 1st April 2019. Subsequent dates are 8th April, 15th April and 29th April.

This course has been super successful since launch. We ran it over 60 times in 2018 alone with over 900 delegates being trained. You can read some of the feedback here.

Make 2019 the year you achieve a GDPR qualification. Book early to avoid disappointment. 

BREXIT UPDATE: If you want to know more about how a No Deal Scenario will impact on GDPR and the DPA 2018, Ibrahim Hasan is presenting a webinar on 18th March 2019. We also have a new webinar on international transfers pre and post Brexit.

The role of the Court of Justice of the European Union ( CJUE) post Brexit

canstockphoto15724171

By Susan Wolf

In our previous Blog, we examined the European Union (Withdrawal) Act 2018 and explained that the GDPR, EIR and PECR will remain on the domestic statute book post Brexit. In other words they will continue to be legally binding after the date that the UK leaves the European Union in March 2019.

In this blog we briefly examine the role of the Court of Justice of the EU (or CJEU) post Brexit. We explain how, despite leaving the EU, the interpretive rulings of the CJEU in relation to the following legislation, will continue to have relevance for UK organisations and practitioners:

  • The GDPR 2016
  • The Law Enforcement Directive 2016/680
  • The Directive on Public Access to Environmental Information 2003/4
  • The Privacy and Electronic Communications Directive 2002/58

Preliminary Rulings of the CJEU

Any national court or tribunal of a Member State has the right to request a ‘preliminary ruling’ from the CJEU, where it considers that a ruling is ‘necessary’ to enable it to give judgment in a case involving the interpretation of EU law.  The CJEU has jurisdiction to interpret EU Law, but it does not rule on the outcome of a case. This task falls to the national court that has requested the ruling. However, the national court is bound to follow the interpretive ruling, which is binding. The ruling is also authoritative and must be followed by the courts and tribunals of all the Member States.

For example in East Sussex County Council v the ICO (2013), the First Tier  (Information Rights) Tribunal requested a ruling from the CJEU on the meaning of the ‘reasonable charges’ for the supply of environmental information.  Quite clearly, the CJEU’s interpretation has had major implications for public authorities subject to the EIR 2004, particularly those providing property search information. But the interpretation given by the CJEU is also binding on public authorities throughout the EU.

The purpose of the procedure is to ensure that EU Law is interpreted ‘uniformly.’ This is particularly important given that the EU currently comprises 28 Member States and has 24 official languages and each country has a different and unique legal tradition and culture.

A Red Line not to be crossed

The role of the Court of Justice, post Brexit, has been one of the controversial aspects of the Brexit negotiations, with the Prime Minister Teresa May suggesting that its continued jurisdiction was a ‘red line’ not to be crossed.  In fact the position is more complex and nuanced.

Under the terms of the EU Withdrawal Act 2018, the UK national courts and tribunals, including the First Tier (Information Rights) Tribunal, will no longer be allowed to refer questions about the interpretation of EU law to the Court of Justice. However, in the interest of certainty, these previous rulings, in so far as they relate to retained EU law provisions, are still to be regarded as binding.  Therefore, anyquestions as to the meaning of EU retained law will be determined by the UK courts by reference to the CJEU’s case law as it exists on the day the UK leaves the EU.  For example, the CJEUs ruling on the interpretation of the Privacy and Electronic Communications Directive in a German case  (Deutsche Telekom AG v Bundesrepublik Deutschland (2011) continues to be binding on the UK courts.

The Supreme Court

The position is different for the Supreme Court  (or High Court of Justiciary in Scotland). Under the EU (Withdrawal) Act both the English and Scottish highest courts can depart from any retained EU case law if it appears ‘right to do so’. In deciding whether to do this the court must apply the same test as it would apply in deciding whether to depart from its own case law. In practice, this power is exercised rarely and there is no reason to suggest that the Supreme Court will seek to depart from any existing CJEU rulings, at least in the immediate future.

What about future CJEU rulings?

There can be no doubt that the GDPR and the Law Enforcement Directive 2016 will raise significant questions of interpretation in the future.  Inevitably the  CJEU will soon be faced with preliminary ruling requests on key questions, such as the interpretation of the ‘right to be forgotten’in the GDPR.  However, given the time it takes to obtain a preliminary ruling (often over a year), it will be some time before the Court is able to cast some light on these new provisions.

As one might expect, the EU Withdrawal Act makes it clear that the domestic national courts and tribunals are no longer bound by any principles laid down, or any decisions made by the CJEU on or after the date of exiting the EU. This comes as no surprise. However, what is perhaps less well known is that the national courts and tribunals may have regardto post Brexit rulings if the national court ‘considers it appropriate to do so’.  Of course, it remains to be seen how willing the national courts will be to ‘follow’any future rulings. However, it would be prudent to suggest that information rights /data protection practitioners and lawyers should still play close attention to future CJEU rulings on the interpretation of EU information rights and data protection laws, post March 2019.

(Future CJEU preliminary rulings will be posted on the Act Now Blog).

We are running GDPR and DPA 2018 workshops throughout the UK. Head over to our website to book your place now.

There is one space remaining on our GDPR Practitioner Certificate Intensive course in London starting on 20th August. Book now.

Need to train frontline staff quickly? Try our extremely popular GDPR e-learning course.

Dont forget about our GDPR Helpline, its a great tool to use for some advice when you really need it.

 

 

The EU Withdrawal Act 2018: What does it mean for information rights practitioners?

canstockphoto22570804

By Susan Wolf

Amidst all the media attention about the resignation of David Davis and Boris Johnson, and what type of deal (if any) the UK will end up with, uncertainty seems to be the current default setting in British politics. However, there is one certainty that may have escaped many people’s attention, namely that the European Union (Withdrawal) Act 2018 received Royal Assent on 26 June 2018. Many would be forgiven for not noticing that after over 270 hours debate in Parliament (during which the government was forced to concede some significant amendments proposed by the House of Lords) the Bill became law on 26thJune. Many would also be forgiven for not knowing what the Act does or what it is trying to achieve. This guide is intended to briefly summarise the EU Withdrawal Act 2018. Further and more detailed information will be provided in follow up blogs on the impact of Brexit on the GDPR, EIR  and the PECR.

Why was it necessary to enact the EU (Withdrawal) Act  and what does it do?

EU law covers many areas of daily life, including employment law, environmental law and of course data protection law.  EU legislation, enacted by the EU institutions, takes the form of:

  • EU Regulations (such as the General Data Protection Regulation 2016). EU Regulations are described as ‘directly applicable’. This means that they require no national implementing legislation, because they automatically become part of domestic law when enacted by the EU institutions. EU Regulations are designed to ensure that the law is uniform throughout the EU.
  • EU Directives are quite different from EU Regulations. Directives set out the objectives that are to be achieved but leave some degree of latitude to Member states on how to achieve them. Directives require Member States to introduce national legislation in order to bring the provisions of the directive into force.
    • For example, the Environmental Information Regulations (EIR) 2004 is a piece of domestic law that implements the provisions of the EU Directive on Public Access to Environmental Information 2003/4/EC.
  • Most EU Directives are implemented into domestic law by means of statutory instruments, but the Data Protection Directive 95/46/EC was implemented into domestic law by the Data Protection Act 1998. The Law Enforcement Directive 2016/680/EU has been implemented into domestic law by Part 3 of the Data Protection Act 2018.

The European Communities Act (ECA) 1972is the statutory mechanism that enables such EU legislation to have legal effect in the UK. In particular it allowed EU regulations to take effect in domestic law and gave Ministers powers to introduce secondary legislation to implement directives.

The referendum decision on 23rd June 2016, in favour of leaving the EU meant that the European Communities Act 1972 had to be repealed. However, repealing the ECA 1972 would have resulted in large areas of EU law and regulation no longer having any legal effect in the UK. It is widely recognised that this would have created a “black hole’ in the domestic statute book and huge amount of legal uncertainty about the applicable law and the rights previously conferred by EU Law.

The EU (Withdrawal) Act 2018 repeals the European Communities Act from the date that we leave the EU, 29thMarch 2019. However, to avoid the problem described above, the Act essentially ‘converts’ EU law as it stands at the time we exit the EU into domestic law. It also ‘preserves’ all laws made in the UK to implement EU obligations (such as the Environmental Information Regulations 2004).  In a nutshell it means that all the laws and regulations made over the last 40 years, while the UK was an EU Member State, will continue to apply after Brexit. Contrary to what members of the public may have believed when they voted in favour of leaving, EU law will continue to have force in the UK after the date of exit.

This means the following will continue to have effect after the date when the UK leaves the EU:

  • The GDPR 2016
  • The Environmental Information Regulations 2004
  • The Law Enforcement Directive 2016 provisions in Part 3 of the Data Protection Act 2018
  • The Privacy and Electronic Communications (EC Directive) Regulations 2003

After the UK has exited the EU in March 2019, Parliament will be able to decide which of the ‘EU retained’ laws and regulations it wishes to keep, repeal or amend. Ministers will be given wide-ranging and somewhat controversial powers to make these changes by secondary legislation. In particular, there has been criticism about the use of secondary legislation (and the lack of parliamentary scrutiny) to potentially repeal important statutory provisions.

The extent to which these powers may be exercised and may impact on current EU law information rights and data protection law, including the GDPR, the Privacy and Electronic Communications Regulations, the Environmental Regulations and the Law Enforcement Directive will be considered in subsequent blogs and forthcoming webinars.

Judicial interpretation of retained EU Law

The courts and tribunals of the Member States have a legal obligation to interpret national law that gives effect to EU law, in a purposive manner. This means there is a duty on the courts to do what is within their jurisdiction to interpret national law in a manner that best achieves the results laid down in EU law, and offers the effective protection of any legal rights conferred by EU law.   This is known as ‘indirect effect or the duty of sympathetic interpretation’. For example, the Information rights Tribunal has frequently cited the aims of the Environmental Information Directive as an aide to the interpretation of the EIR 2004.  The Directive requires that the exceptions to disclosure are interpreted in a restrictive manner, and there is clear evidence that the First Tier and upper tribunals have taken this on board in their decision-making.

Post Brexit, the national courts will no longer be bound to do this.  However, it is unlikely that the national courts will return to the traditional ‘literal’ approach to interpretation. Increasingly the national courts have shown a willingness to interpret most legislation in a purposive fashion and this is unlikely to change as a result of Brexit.

Where the courts have been faced with the interpretation of national law that gives effect to EU law, then they have been able to refer questions to the Court of justice of the European Union, using the ‘preliminary rulings procedure’.  The preliminary rulings of the CJEU are currently binding and seek to ensure that the law throughout Europe is uniformly interpreted. As many information rights practitioners will know, the CJEU has handed down some significant rulings on the interpretation of the 1995 Data Protection Directive 1995/46/EC (such as the famous Lindqvist case in 2001 on the processing of personal data on the internet [1]) and on public authorities under the Environmental Information Directive 2003/4/EC in Fish Legal v the Information Commissioner. [2] In the interest of certainty, these previous rulings, in so far as they relate to retained EU law provisions, are still to be regarded as binding.

The continuing relevance of these decisions and the role of the Court of Justice, post Brexit, will be considered in a later Blog.

[1]Case C 101/01 Criminal proceedings against Bodil Lindqvist

[2]  Case C-279/12 Fish Legal and Emily Shirley v Information Commissioner and Others

We are running GDPR and DPA 2018 workshops throughout the UK. Head over to our website to book your place now.

There is one space remaining on our GDPR Practitioner Certificate Intensive course in London starting on 20th August. Book now.

Need to train frontline staff quickly? Try our extremely popular GDPR e-learning course.

Dont forget about our GDPR Helpline, its a great tool to use for some advice when you really need it.

GDPR is coming but don’t panic!

GDPR General Data Protection Regulation

The General Data Protection Regulation (GDPR)will come into force in 3 weeks time. 25thMay though is not a cliff edge; nor is it doomsday when the Information Commissioner will start wielding her 20million Euro (fine) stick!

In December, the Commissioner addressed some of the myths being peddled about GDPR:

“I‘ve even heard comparisons between the GDPR and the preparations for the Y2K Millennium Bug…

In the run up to 25 May 2018 there have been anxieties too, albeit on a less apocalyptic level. Things like we’ll be making early examples of organisations for minor breaches or reaching for large fines straight-away and that the new legislation is an unnecessary burden on organisations.

I want to reassure those that have GDPR preparations in train that there’s no need for a Y2K level of fear…”

There are a number of steps that you should be doing to prepare for GDPR. Remember, failure to have completed these tasks by 25th May will not lead to a 20 million Euro fine. However, to quote the commissioner at the ICO Conference this year, “It’s important that we all understand there is no deadline. 25th May is not the end. It is the beginning.”

  1. Raising awareness about GDPR at all levels. Our GDPR e learning course is ideal for frontline staff.
  2. Carrying out a data audit and reviewing how you address records management and information risk in your organisation.
  3. Reviewing information security polices and procedures in the light of the GDPR’s more stringent security obligations particularly breach notification.
  4. Revising privacy polices in the light of the GDPR’s more prescriptive transparency requirements. See our policy
  5. Writing polices and procedures to deal with new and revised Data Subject rights such as Data Portability and Subject Access.
  6. Considering whether you need a Data Protection Officer and if so who is going to do the job. Our GDPR certificate course is ideal for new DPOs.

Done everything? Have a go at the ICO’s GDPR Self Assessment Toolkit. Read the Commissioners full speech here.

Please get in touch if Act Now can help with your GDPR preparations. We provide audits, health checks and can offer a gap analysis, all followed by a step by step action plan!

 

Act Now Launches GDPR Handbook

We all know that the General Data Protection Regulation (GDPR) cannot be read in isolation.

In September, the DCMS published the Data Protection Bill. Amongst other things, it sets out how the UK Government intends to exercise its GDPR “derogations”; where Members states are allowed to make their own rules.

There are also a number of guidance documents from the Information Commissioner’s Office as well as the Article 29 Working Party on different aspects of GDPR. Wouldn’t it be useful to have one version of the GDPR containing clear signposts to the relevant provisions of the Bill and official guidance under each Article/Recital?

Act Now is pleased to announce the launch of its GDPR Handbook. This is a B5 size colour document. It is designed for data protection practitioners who want a single printed resource on the GDPR. It contains the full text of the GDPR together with:

  • Corresponding GDPR Recitals under each Article
  • Notes on the relevant provisions of Data Protection Bill
  • Links to official guidance and useful blog posts
  • Relevant extracts of the Data Protection Bill (in the Appendices).

A lot of the useful explanation of the provisions (Articles) is contained in the Recitals, which are at the front of the official text of the GDPR. Consequently, the reader has to constantly flick back and forth between the two. By placing the corresponding Recitals under each Article, the Act Now GDPR Handbook allows a more natural readying of the GDPR.

The Act Now GDPR Handbook is currently on sale at the special introductory price of £29.99. There is a 33% discount for the public sector and charities.

This will be a very useful document for those acting as Data Protection Officer under GDPR as well as data protection lawyers and advisers.

CHARITY DONATION

In recent weeks, half a million people, mostly Rohingya women and children, have fled violence in Myanmar’s (Burma) Rakhine state. They are seeking refuge in Bangladesh, where they urgently need food, water, shelter and medical care.

For each copy of the GDPR handbook you order, Act Now Training will donate £1 to the Disasters Emergency Committee’s Emergency Appeal.

By popular demand, we have added an extra course in Manchester for our GDPR Practitioner Certificate. Our first workshop on the Data Protection Bill course is fully booked. We have places left in London and Manchester.