Data Protection in 2019 – didn’t we already do this?.

Last year was very busy for data protection compliance with the introduction of the General Data Protection Regulation (‘GDPR’). Whilst the culture of data handling has undoubtedly changed since the arrival of GDPR and the Data Protection Act 2018, that is not the end of the story. It is expected that this year a draft European regulation relating to privacy and electronic communications will be finalised adding further requirements in respect of electronic communications. Additionally, the impact of Brexit on data transfers to European countries may also necessitate further procedures or documentation in place prior to 29 March 2019.

The ePrivacy Regulation

Proposed new regulations, the ePrivacy Regulation (“ePR”), will replace the current Privacy and Electronic Communications Directive 2002 and, whilst the ePR will integrate with the GDPR, their scope differs. For business that did not draft documents and policies to future proof for the ePR, there may need to be further changes. Even where policies were drafted to future proof, a review may need to be undertaken to ensure they remain fully compliant with the finalised regulation.

The ePR differs from the GDPR in that it relates specifically to electronic communications data and it may also concern non-personal data whereas the GDPR governs the protection of solely personal data. The current ePrivacy rules already require consent for sending marketing via email and SMS, but the ePR suggests extending the scope to also cover other electronic communication methods such as Gmail, Skype, WhatsApp, Facebook Messenger when used for marketing. Consent is also required for the use of certain cookies and other similar (tracking) technologies but it remains unclear whether this can be implied through continued use of a website.


In terms of data transfer within the EEA, it is unlikely that the UK will benefit from an adequacy decision immediately after Brexit and therefore that the UK will become a ‘third country’ for information security purposes. Therefore transfers of personal data between the UK and EEA will need sufficient safeguards in place, such as use of the European Commission’s standard contractual clauses, to comply with data privacy laws. Such protection will be required between both unrelated parties and companies within the same group. Business will need to consider what contracts they have in place or arrangements where personal data is transferred to overseas entities which may need to be bolstered by additional standard clauses.

Whilst 2018 was indeed a significant year for data protection compliance, there are more changes on the horizon. With the need to deal with the ePrivacy Regulation and Brexit, it’s clear that data protection compliance is going to be an ongoing theme of 2019.

Fiona Moss is a Senior Associate in our corporate and commercial department with experience in data protection compliance.

The contents of this update are intended as guidance for readers. It can be no substitute for specific advice. Consequently we cannot accept responsibility for this information, errors or matters affected by subsequent changes in the law, or the content of any website referred to in this update.


Don’t Be Naughty with Notice
12th September, 2019

Andrew Knorpel looks at the potential criminal liability which arises when an employer and employee “agree” that either notice was given or employment was terminated on a date which differs…

Has the sun set?
3rd September, 2019

“We’re all going on a summer holiday” – but what happens after that? Rachel Lemon looks into the possible consequences of couples spending some real time together.

In England’s green and pleasant land
2nd September, 2019

Miranda Green looks at the complexities of international family law.

Pawpular Perks: Pet-Friendly Policies at Work
29th August, 2019

Céline Winham looks at the pawpular perks within pet-friendly workplaces.