2018 was a landmark year for data protection and privacy; the EU General Data Protection Regulation (“GDPR”) came into effect on 25 May 2018 and implemented a comprehensive reform of the EU data protection regime. So what could 2019 possibly have in store for data protection and privacy? This article sets out some predictions for further data protection developments in the year to come.
- First and foremost, we can’t avoid Brexit. Deal or no deal, the impact of this world-changing event will be keenly felt in the data protection landscape. Long-term, we will need to wait until 2020 at least to see if the UK is found to be “adequate”, but the short-term impact will depend very much on the ability of the politicians to agree on exit. Please click here to read our latest bulletin on the potential impact of Brexit on data protection.
- The Court of Appeal judgment in the Morrisons case, combined with the legislative changes made by the GDPR, increased public awareness of data protection issues, and the publicity that the case attracted, could spark a new wave of class action court cases from workers and customers in the event of a data breach. Whilst individuals may not themselves be entitled to significant sums, if the data breach affects large numbers of individuals, the total potential liability for organisations could become commensurately large. Please click here to read our bulletin on the Court of Appeal judgment in the Morrisons case.
- After US mid-term elections gave the Democrats control over the House of Representatives, and data privacy scandals such as the Facebook/Cambridge Analytica one saw privacy being scrutinised by the Senate, could the prospect of a US federal privacy law analogous to the GDPR be a possibility in 2019?
- Although ostensibly technology neutral, 2018 saw calls for the GDPR to be reviewed and amended because it is not fit for purpose for use with new technologies such as blockchain. As technology continues to move ahead of regulation in 2019, is it realistic to expect to see a legal review of the GDPR as an effort to make sure that privacy regulation does not impede innovation?
- The GDPR appears to have resulted in a big shift away from consent as the processing condition relied upon for the majority of commercial processing activities. Higher standards for valid consent have resulted in a move towards reliance on “legitimate interests” instead. But how many organisations are properly carrying-out a legitimate interests assessment before relying on the legitimate interests condition? This could be an area ripe for regulatory scrutiny in 2019.
- The implementation of GDPR in 2018 has resulted in radically increased levels of complaints to the regulator and data breach regulatory notifications, resulting in significant resource pressures being placed on the national supervisory authorities. 2019 could see multiple supervisory authorities across Europe seeking additional resource and funding from national governments in order to be able to cope with demand.
- Use of new technologies and analytics could push the boundaries of “personal data” even further in 2019. For example, increasing use of voice-pattern and gait analysis recognition as a means of identifying and authenticating individuals. Do we need guidance on the fundamental definition of personal data in 2019?
- 2019 will hopefully be the year when the European Data Protection Board addresses some of the key areas of GDPR concern through guidance. Although we finally got draft guidance on extra-territoriality towards the end of 2018, there are still significant gaps in regulatory guidance waiting to be filled in 2019. Please click here to read our bulletin on the EDPB’s draft guidance on extra-territoriality.
- 2019 may be the year of the new ePrivacy Regulation. This key piece of legislation, which supplements the GDPR, has already been delayed in the European legislative process. If and when it is finally agreed, can we hope for clarity on issues such as B2B marketing, use of the soft opt-in, and cookie consent?
- Could 2019 be the year when international transfers either sink or swim? Although the recent report on the 2nd annual US Privacy Shield review was less critical than some had expected 2019 could still see: the results of a legal challenge to the standard contractual clauses, an update to the standard contractual clauses to reflect the new legislative regime and Brexit potentially resulting in the UK becoming a third country. All of these factors could make it very difficult for organisations to transfer data around the world in a compliant manner.
The UK Government has published a “no deal” note to clarify how data protection law will work in the event that the UK leaves the EU without a deal. The note confirms that separate draft regulations and more detailed guidance will be published in the next few weeks but, in the meantime, it clarifies at a high level a number of key issues for organisations both within the UK and outside but doing business with the UK. Continue reading
In May 2015, as part of its Digital Single Market Strategy, the European Commission published proposals to reform the EU telecommunications regulatory framework. Following a series of consultations in 2015, the Commission published further proposals to reform the EU legislation in September 2016, with the aim of improving internet connectivity across the EU. The proposals included: a directive setting out a European Electronic Communications Code (the Code), to replace the existing four key telecommunication directives; a regulation to increase the powers designated to the Body of European Regulators for Electronic Communications, BEREC, including to contribute to the consistent application of the measures laid down by the Code (the Regulation); and an action plan for the development of 5G in Europe . Continue reading
As part of its Digital Single Market Strategy and following extensive consultation in 2015, in May 2016 the European Commission adopted new legislative amendments to the Audiovisual Media Services Directive (“AVMSD“). The proposals seek to modernise the Directive to reflect “market, consumption and technological changes”, largely arising from convergence between television and internet services and the increase in on-demand content consumption.
After a lengthy legislative process, the Council of the European Union formally adopted the AVMSD on 6 November 2018. The AVMSD was then published in the Official Journal of the European Union and entered into force on 19 December 2018. Member States now have 21 months to transpose it into national legislation (September 2020). Continue reading
The EU geo-blocking Regulation (Regulation 2018/302 of 28 February 2018) (the Regulation) comes into force on 3 December 2018. The Regulation aims to remove barriers to cross-border trade and enable consumers to purchase goods and services from businesses located in different Member States on equal terms to nationals of that Member State. Businesses selling online in the EU, regardless of where they are based, will need to make sure that their terms and conditions, including payment methods, do not discriminate against online customers on the basis of their nationality, place of residence or place of establishment.
Ending unjustified geo-blocking has been an important goal for the Commission under its Digital Single Market initiative which aims to break down barriers to cross-border online activity and remove key differences between online and offline markets. Other measures which are aimed at promoting cross-border e-commerce in the EU include:
- a new Regulation on cross-border parcel delivery services making pricing more transparent and affordable (which came into effect on 22 May 2018);
- new rules to reduce the VAT related administrative burden of cross-border transactions (which come into effect in January 2021);
- a new revised Consumer Protection Cooperation Regulation (which will take effect from 17 January 2020) which will allow national authorities to cooperate to jointly address breaches of consumer law with a cross-border element.
Please click here to read more.
On 23 November 2018, the European Data Protection Board (the “EDPB“) published its draft guidelines on Article 3 of the GDPR, being the provision that sets out the territorial scope of Europe’s data protection legislation.
The guidelines are only in draft form and subject to consultation but they do go some way to clarifying key questions regarding the application of the GDPR. That being said, they do not cover every possible permutation of Article 3, meaning that there remain gaps where organisations will need to exercise judgment without any comfort that their interpretation will align with that of the regulators. In particular, there would seem to still be question marks around the application of Article 3(2)(a) and what actually constitutes the offering of goods and services to individuals in the EU. Continue reading
The House of Commons Treasury Committee has launched an inquiry into IT failures in the financial services sector. The inquiry will focus on the causes and consequences of operational incidents in the financial services sector and will examine the work being undertaken by industry and regulators to promote operational resilience. The Committee has also published correspondence between Nicky Morgan, Chair of the Treasury Committee and company executive officers including;
- a letter on partial system disruption from Jes Staley, Group Chief Executive, Barclays and appendix;
- a letter on service incidents from Rich Wagner, Chief Executive Officer, Cashplus;
- a letter on NatWest and RBS Service Failure from Ross McEwan, Chief Executive Officer, RBS; and
- a letter on partial service disruption on 1 June from Charlotte Hogg, Chief Executive Officer, Visa Europe.
The Committee will appoint a Specialist Advisor for this inquiry to provide analysis and is seeking expressions of interest for the position. Submissions to the inquiry are requested by 18 January 2019.
The EU Commission has published a news release on the EU Blockchain’s Industry Roundtable held on 20 November 2018. The roundtable was an important step towards creating a European community to support the deployment of blockchain in the European Union. The EU Commission welcomed the announcement of the establishment of the “International Association for Trusted Blockchain Applications” by several participants that will be based in Europe and open to any organisation willing to work on the deployment of blockchain and distributed ledger technologies to transform digital services.
On 6 November 2018, the Council of the European Union formally adopted a new directive revising the existing Audiovisual Media Services Directive (2010/13/EU) (“AVMSD”). This is the final stage in the lengthy legislative process and the new directive will enter into force on the 20th day after its publication in the Official Journal of the EU. Member states will have 21 months to transpose it into national legislation (likely to be around August 2020).
The existing directive on the provision of audiovisual media services dates back to 2010. The market has developed significantly since then; fast paced technological advances arising from the convergence between television and internet services have led to new types of services and changes in viewing habits (particularly an increase in on-demand content consumption). User-generated content has also gained in importance. The legislative amendments seek to reflect these market developments. Continue reading
If the level of capital flowing into the financial technology sector is any indication, the growth in number and size of financial technology start-ups cannot be denied. According to a report by KPMG, global investment in fintech companies reached US $57.9 billion by mid-year of 2018, already exceeding the total investment figures of 2017.
Click here to read the full article.