Last year was very busy for data protection compliance with the introduction of the General Data Protection Regulation (‘GDPR’).
Whilst the culture of data handling has undoubtedly changed since the arrival of GDPR and the Data Protection Act 2018, that is not the end of the story. It is expected that this year a draft European regulation relating to privacy and electronic communications will be finalised adding further requirements in respect of electronic communications. Additionally, the impact of Brexit on data transfers to European countries may also necessitate further procedures or documentation in place prior to 29 March 2019.
The ePrivacy Regulation
Proposed new regulations, the ePrivacy Regulation (“ePR”), will replace the current Privacy and Electronic Communications Directive 2002 and, whilst the ePR will integrate with the GDPR, their scope differs. For business that did not draft documents and policies to future proof for the ePR, there may need to be further changes. Even where policies were drafted to future proof, a review may need to be undertaken to ensure they remain fully compliant with the finalised regulation.
The ePR differs from the GDPR in that it relates specifically to electronic communications data and it may also concern non-personal data whereas the GDPR governs the protection of solely personal data. The current ePrivacy rules already require consent for sending marketing via email and SMS, but the ePR suggests extending the scope to also cover other electronic communication methods such as Gmail, Skype, WhatsApp, Facebook Messenger when used for marketing. Consent is also required for the use of certain cookies and other similar (tracking) technologies but it remains unclear whether this can be implied through continued use of a website.
In terms of data transfer within the EEA, it is unlikely that the UK will benefit from an adequacy decision immediately after Brexit and therefore that the UK will become a ‘third country’ for information security purposes. Therefore transfers of personal data between the UK and EEA will need sufficient safeguards in place, such as use of the European Commission’s standard contractual clauses, to comply with data privacy laws. Such protection will be required between both unrelated parties and companies within the same group. Business will need to consider what contracts they have in place or arrangements where personal data is transferred to overseas entities which may need to be bolstered by additional standard clauses.
Whilst 2018 was indeed a significant year for data protection compliance, there are more changes on the horizon. With the need to deal with the ePrivacy Regulation and Brexit, it’s clear that data protection compliance is going to be an ongoing theme of 2019.
Fiona Moss is a Senior Associate in our corporate and commercial department with experience in data protection compliance.
The contents of this update are intended as guidance for readers. It can be no substitute for specific advice. Consequently we cannot accept responsibility for this information, errors or matters affected by subsequent changes in the law, or the content of any website referred to in this update.