Act Now welcomes Susan Wolf to the team

image002 copy

Susan Wolf has over ten years experience teaching information rights practitioners on the LLM Information Rights Law & Practice at Northumbria University. She has also presented workshops on the FOIA, the EIR, and access to EU information in Germany, Czech Republic and throughout the UK. Susan developed the Postgraduate Certificate in Data Protection Law & Information Governance at Northumbria University.

Susan is the author of the Law Society’s Environmental Information: A Practical Guideand contributed to the Law Society’s Information Sharing Handbook. She has also published articles on various aspects of the EIR and Access to EU Documentation. Susan has also published textbooks on European Union and Environmental Law.

Susan worked for Newcastle City Council for ten years advising on access to EU funding and worked closely with the EU institutions. She is also a trustee of a national charity, leading on information governance and implementation of the GDPR. Susan has undertaken contract research, consultancy and training for public sector organisations.

Ibrahim Hasan said, “Susan’s experience shines through. With her many years teaching practitioners at University and work within the public sector, she will be an excellent addition to the growing Act Now team. With all this experience we believe we are even better placed to fulfil all your organisations information governance needs. Be sure to look out for Susan’s workshops in our course programme.”

Posted in Training | Leave a comment

The role of the Court of Justice of the European Union ( CJUE) post Brexit

canstockphoto15724171

By Susan Wolf

In our previous Blog, we examined the European Union (Withdrawal) Act 2018 and explained that the GDPR, EIR and PECR will remain on the domestic statute book post Brexit. In other words they will continue to be legally binding after the date that the UK leaves the European Union in March 2019.

In this blog we briefly examine the role of the Court of Justice of the EU (or CJEU) post Brexit. We explain how, despite leaving the EU, the interpretive rulings of the CJEU in relation to the following legislation, will continue to have relevance for UK organisations and practitioners:

  • The GDPR 2016
  • The Law Enforcement Directive 2016/680
  • The Directive on Public Access to Environmental Information 2003/4
  • The Privacy and Electronic Communications Directive 2002/58

Preliminary Rulings of the CJEU

Any national court or tribunal of a Member State has the right to request a ‘preliminary ruling’ from the CJEU, where it considers that a ruling is ‘necessary’ to enable it to give judgment in a case involving the interpretation of EU law.  The CJEU has jurisdiction to interpret EU Law, but it does not rule on the outcome of a case. This task falls to the national court that has requested the ruling. However, the national court is bound to follow the interpretive ruling, which is binding. The ruling is also authoritative and must be followed by the courts and tribunals of all the Member States.

For example in East Sussex County Council v the ICO (2013), the First Tier  (Information Rights) Tribunal requested a ruling from the CJEU on the meaning of the ‘reasonable charges’ for the supply of environmental information.  Quite clearly, the CJEU’s interpretation has had major implications for public authorities subject to the EIR 2004, particularly those providing property search information. But the interpretation given by the CJEU is also binding on public authorities throughout the EU.

The purpose of the procedure is to ensure that EU Law is interpreted ‘uniformly.’ This is particularly important given that the EU currently comprises 28 Member States and has 24 official languages and each country has a different and unique legal tradition and culture.

A Red Line not to be crossed

The role of the Court of Justice, post Brexit, has been one of the controversial aspects of the Brexit negotiations, with the Prime Minister Teresa May suggesting that its continued jurisdiction was a ‘red line’ not to be crossed.  In fact the position is more complex and nuanced.

Under the terms of the EU Withdrawal Act 2018, the UK national courts and tribunals, including the First Tier (Information Rights) Tribunal, will no longer be allowed to refer questions about the interpretation of EU law to the Court of Justice. However, in the interest of certainty, these previous rulings, in so far as they relate to retained EU law provisions, are still to be regarded as binding.  Therefore, anyquestions as to the meaning of EU retained law will be determined by the UK courts by reference to the CJEU’s case law as it exists on the day the UK leaves the EU.  For example, the CJEUs ruling on the interpretation of the Privacy and Electronic Communications Directive in a German case  (Deutsche Telekom AG v Bundesrepublik Deutschland (2011) continues to be binding on the UK courts.

The Supreme Court

The position is different for the Supreme Court  (or High Court of Justiciary in Scotland). Under the EU (Withdrawal) Act both the English and Scottish highest courts can depart from any retained EU case law if it appears ‘right to do so’. In deciding whether to do this the court must apply the same test as it would apply in deciding whether to depart from its own case law. In practice, this power is exercised rarely and there is no reason to suggest that the Supreme Court will seek to depart from any existing CJEU rulings, at least in the immediate future.

What about future CJEU rulings?

There can be no doubt that the GDPR and the Law Enforcement Directive 2016 will raise significant questions of interpretation in the future.  Inevitably the  CJEU will soon be faced with preliminary ruling requests on key questions, such as the interpretation of the ‘right to be forgotten’in the GDPR.  However, given the time it takes to obtain a preliminary ruling (often over a year), it will be some time before the Court is able to cast some light on these new provisions.

As one might expect, the EU Withdrawal Act makes it clear that the domestic national courts and tribunals are no longer bound by any principles laid down, or any decisions made by the CJEU on or after the date of exiting the EU. This comes as no surprise. However, what is perhaps less well known is that the national courts and tribunals may have regardto post Brexit rulings if the national court ‘considers it appropriate to do so’.  Of course, it remains to be seen how willing the national courts will be to ‘follow’any future rulings. However, it would be prudent to suggest that information rights /data protection practitioners and lawyers should still play close attention to future CJEU rulings on the interpretation of EU information rights and data protection laws, post March 2019.

(Future CJEU preliminary rulings will be posted on the Act Now Blog).

We are running GDPR and DPA 2018 workshops throughout the UK. Head over to our website to book your place now.

There is one space remaining on our GDPR Practitioner Certificate Intensive course in London starting on 20th August. Book now.

Need to train frontline staff quickly? Try our extremely popular GDPR e-learning course.

Dont forget about our GDPR Helpline, its a great tool to use for some advice when you really need it.

 

 

Posted in Brexit, CJEU, EU DP Regulation, EU Withdrawal, GDPR | 1 Comment

The EU Withdrawal Act 2018: What does it mean for information rights practitioners?

canstockphoto22570804

By Susan Wolf

Amidst all the media attention about the resignation of David Davis and Boris Johnson, and what type of deal (if any) the UK will end up with, uncertainty seems to be the current default setting in British politics. However, there is one certainty that may have escaped many people’s attention, namely that the European Union (Withdrawal) Act 2018 received Royal Assent on 26 June 2018. Many would be forgiven for not noticing that after over 270 hours debate in Parliament (during which the government was forced to concede some significant amendments proposed by the House of Lords) the Bill became law on 26thJune. Many would also be forgiven for not knowing what the Act does or what it is trying to achieve. This guide is intended to briefly summarise the EU Withdrawal Act 2018. Further and more detailed information will be provided in follow up blogs on the impact of Brexit on the GDPR, EIR  and the PECR.

Why was it necessary to enact the EU (Withdrawal) Act  and what does it do?

EU law covers many areas of daily life, including employment law, environmental law and of course data protection law.  EU legislation, enacted by the EU institutions, takes the form of:

  • EU Regulations (such as the General Data Protection Regulation 2016). EU Regulations are described as ‘directly applicable’. This means that they require no national implementing legislation, because they automatically become part of domestic law when enacted by the EU institutions. EU Regulations are designed to ensure that the law is uniform throughout the EU.
  • EU Directives are quite different from EU Regulations. Directives set out the objectives that are to be achieved but leave some degree of latitude to Member states on how to achieve them. Directives require Member States to introduce national legislation in order to bring the provisions of the directive into force.
    • For example, the Environmental Information Regulations (EIR) 2004 is a piece of domestic law that implements the provisions of the EU Directive on Public Access to Environmental Information 2003/4/EC.
  • Most EU Directives are implemented into domestic law by means of statutory instruments, but the Data Protection Directive 95/46/EC was implemented into domestic law by the Data Protection Act 1998. The Law Enforcement Directive 2016/680/EU has been implemented into domestic law by Part 3 of the Data Protection Act 2018.

The European Communities Act (ECA) 1972is the statutory mechanism that enables such EU legislation to have legal effect in the UK. In particular it allowed EU regulations to take effect in domestic law and gave Ministers powers to introduce secondary legislation to implement directives.

The referendum decision on 23rd June 2016, in favour of leaving the EU meant that the European Communities Act 1972 had to be repealed. However, repealing the ECA 1972 would have resulted in large areas of EU law and regulation no longer having any legal effect in the UK. It is widely recognised that this would have created a “black hole’ in the domestic statute book and huge amount of legal uncertainty about the applicable law and the rights previously conferred by EU Law.

The EU (Withdrawal) Act 2018 repeals the European Communities Act from the date that we leave the EU, 29thMarch 2019. However, to avoid the problem described above, the Act essentially ‘converts’ EU law as it stands at the time we exit the EU into domestic law. It also ‘preserves’ all laws made in the UK to implement EU obligations (such as the Environmental Information Regulations 2004).  In a nutshell it means that all the laws and regulations made over the last 40 years, while the UK was an EU Member State, will continue to apply after Brexit. Contrary to what members of the public may have believed when they voted in favour of leaving, EU law will continue to have force in the UK after the date of exit.

This means the following will continue to have effect after the date when the UK leaves the EU:

  • The GDPR 2016
  • The Environmental Information Regulations 2004
  • The Law Enforcement Directive 2016 provisions in Part 3 of the Data Protection Act 2018
  • The Privacy and Electronic Communications (EC Directive) Regulations 2003

After the UK has exited the EU in March 2019, Parliament will be able to decide which of the ‘EU retained’ laws and regulations it wishes to keep, repeal or amend. Ministers will be given wide-ranging and somewhat controversial powers to make these changes by secondary legislation. In particular, there has been criticism about the use of secondary legislation (and the lack of parliamentary scrutiny) to potentially repeal important statutory provisions.

The extent to which these powers may be exercised and may impact on current EU law information rights and data protection law, including the GDPR, the Privacy and Electronic Communications Regulations, the Environmental Regulations and the Law Enforcement Directive will be considered in subsequent blogs and forthcoming webinars.

Judicial interpretation of retained EU Law

The courts and tribunals of the Member States have a legal obligation to interpret national law that gives effect to EU law, in a purposive manner. This means there is a duty on the courts to do what is within their jurisdiction to interpret national law in a manner that best achieves the results laid down in EU law, and offers the effective protection of any legal rights conferred by EU law.   This is known as ‘indirect effect or the duty of sympathetic interpretation’. For example, the Information rights Tribunal has frequently cited the aims of the Environmental Information Directive as an aide to the interpretation of the EIR 2004.  The Directive requires that the exceptions to disclosure are interpreted in a restrictive manner, and there is clear evidence that the First Tier and upper tribunals have taken this on board in their decision-making.

Post Brexit, the national courts will no longer be bound to do this.  However, it is unlikely that the national courts will return to the traditional ‘literal’ approach to interpretation. Increasingly the national courts have shown a willingness to interpret most legislation in a purposive fashion and this is unlikely to change as a result of Brexit.

Where the courts have been faced with the interpretation of national law that gives effect to EU law, then they have been able to refer questions to the Court of justice of the European Union, using the ‘preliminary rulings procedure’.  The preliminary rulings of the CJEU are currently binding and seek to ensure that the law throughout Europe is uniformly interpreted. As many information rights practitioners will know, the CJEU has handed down some significant rulings on the interpretation of the 1995 Data Protection Directive 1995/46/EC (such as the famous Lindqvist case in 2001 on the processing of personal data on the internet [1]) and on public authorities under the Environmental Information Directive 2003/4/EC in Fish Legal v the Information Commissioner. [2] In the interest of certainty, these previous rulings, in so far as they relate to retained EU law provisions, are still to be regarded as binding.

The continuing relevance of these decisions and the role of the Court of Justice, post Brexit, will be considered in a later Blog.

[1]Case C 101/01 Criminal proceedings against Bodil Lindqvist

[2]  Case C-279/12 Fish Legal and Emily Shirley v Information Commissioner and Others

We are running GDPR and DPA 2018 workshops throughout the UK. Head over to our website to book your place now.

There is one space remaining on our GDPR Practitioner Certificate Intensive course in London starting on 20th August. Book now.

Need to train frontline staff quickly? Try our extremely popular GDPR e-learning course.

Dont forget about our GDPR Helpline, its a great tool to use for some advice when you really need it.

Posted in Article 50, Data Protection, EU DP Regulation, EU Withdrawal, GDPR | 1 Comment

Act Now Delivers GDPR Training In Dubai

WhatsApp Image 2018-06-28 at 18.57.11(1)

In June 2018 Ibrahim Hasan travelled to Dubai to deliver a GDPR workshop for international businesses and their advisers based in the Middle East. A wide range of delegates attended including representatives of the telecommunications, legal and technology sectors.

The General Data Protection Regulation (GDPR will not just have an impact on Data Controllers and Data Processors in the European Union (EU). It will also apply to organisations in the rest of world that are:

  • processing personal data of individuals living in the EU;
  • offering goods or services to individuals in the EU, even if there is no charge for such goods or services; or
  • engaging in monitoring or profiling activities of individuals in the EU (for example, the use of cookies/behavioural advertising).

Our Dubai workshop examined the legal and practical impact of GDPR on Middle East/GCC based organisations. All the key issues for Data Controllers as well as Data Processors were discussed including international transfers, contract clauses and guarantees, security and breach notification and when a Data Protection Officer needs to be appointed. Crucially we also discussed how GDPR is a business opportunity rather than a threat.

Questions from the floor included:

  • Application to subsidiaries
  • Practically dealing with the Right to Erasure
  • The overlap of GDPR with human rights
  • The link with local (UAE) laws
  • National security and GDPR
  • E mail disclosures
  • Insurance for GDPR breaches
  • Application to group companies outside the EU

The feedback from the delegates was excellent with many saying that the workshop gave them food for thought. The Act Now mugs and notebooks went down well too!

Dubai being Dubai, of course the hospitality extended by the hotel was par excellence.  At each refreshment break we were served what seemed to be a full meal! Check out the photos below:

Our thanks to the staff at Radisson Blu in Dubai Media City, particularly Amish the manager.

Ibrahim Hasan said:

“I was really pleased to design and deliver this workshop in Dubai. It adds to our growing experience of delivering data protection training abroad. I would like to thank my good friends the Hafiji family for hosting me during my stay and showing me the sights. It was an all round 5 star experience.” ***

Act Now Training is pleased to announce two more GDPR training workshops in Dubai (UAE). We can also deliver customized GDPR courses at clients’ premises.

 

 

 

(*** – M and A, it would have been six stars but you forgot the miniature shower gel!!)

Posted in Uncategorized | Leave a comment

GDPR Handbook: 2nd Edition Launched – Pre Order Now!

Screen Shot 2018-06-28 at 13.47.38

Act Now Training is pleased to announce the launch of the second edition of the GDPR handbook.

We sold over 1500 copies of the 1st Edition which was published in October 2017.

The revised handbook is designed for data protection practitioners and legal advisers who require a single printed resource cross-referencing the GDPR with the supplementary provisions set out in the new Data Protection Act 2018. It contains the full text of the final version of GDPR (as recently corrected by the European Commission) but laid out in a more logical and easy to read manner.

Key Features and Benefits

Under each Article of GDPR we have included:

  • The corresponding GDPR Recitals in a contrasting colour
  • Signposts to any relevant supplementary provisions of the DPA 2018
  • Links to any official guidance issued by the Information Commissioner’s Office explaining the subject matter of the Article
  • Links to any official guidance issued by the EU Article 29 Working party explaining the subject matter of the Article
  • Links to any relevant Act Now blogposts

A lot of the useful explanation of the provisions (Articles) is contained in the Recitals, However these are at the front of the official text of the GDPR. Consequently, the reader has to constantly flick back and forth between the two.

The Act Now GDPR Handbook places the corresponding Recitals under each Article, thus it allows a more natural and easier reading of the GDPR.

Contents

  • Full text of the corrected GDPR
  • A summary of the DPA 2018
  • Part 1 and 2 of the DPA 2018 together with schedules 1-4 (inclusive).

SPECIAL OFFER

The Act Now GDPR Handbook (2nd Edition) is currently on sale at the special introductory price of only £29.99!  Save 30% from the RRP of £44.99.

Order now, First 1000 copies only! Offer valid until 31st July 2018! Orders will be shipped from July 9th. 

CHARITY DONATION

Through sales of the 1st Edition of this handbook we donated £1500 to the DEC Appeal to aid the 500,000 people, mostly Rohingya women and children, who have fled violence in Myanmar’s (Burma) Rakhine state.

For each copy of the 2nd Edition you order, we will donate £1 to Macmillan Cancer Care.

 

Our London workshop on the Data Protection Act is fully booked. We have places left in other venues. By popular demand, we have added an extra course for our GDPR Practitioner Certificate.

Posted in GDPR, Handbook | Tagged | Leave a comment

The Data Protection Act 2018: A Summary

Screen Shot 2018-05-30 at 11.47.24

The much-publicised Data Protection Act 2018 (DPA 2018) came into force last week (25thMay 2018), alongside the General Data Protection Regulation (GDPR). I recently wrote a blog post explaining the aims of the new Act and busting some of the myths.

Part 2 of the Act supplements the GDPR i.e. it fills in some of the gaps by enacting “derogations”; where Members states are allowed to make their own rules e.g. about exemptions and children’s consent. This part has to be read alongside the GDPR.

Much of the Act is the broadly the same as the Bill when it was introduced to Parliament e.g. children’s consent, automated decisions, Special Category Data etc. Read a summary of the Bill here.

Exemptions

Articles 6(3) and 23(1) of GDPR allow member states to introduce exemptions from various GDPR obligations e.g. transparency and individuals’ rights. All of the familiar exemptions from the old Data Protection Act 1998 (DPA 1998)(see S.29-35and Schedule 7) are set out in Schedules 2 – 4 of the new Act e.g.crime and taxation, legal proceedings, management forecasts, public functions, negotiations etc. There are some new exemptions and others have been changed.

Immigration: Paragraph 4 of Schedule 2 of the Act introduces a new exemption for personal data processed for the purposes of effective immigration control. This removes most of the Data Subjects’ rights (incl. subject access) where they would prejudice such matters. Campaigners have argued that this exemption means thatimmigrants, including the 3 million EU citizens in the EU, (and those affected by the Windrush scandal) will not have access to data and information regarding how the Government decides on their fate, including their potential deportation.  This makes any defence and legal action against unlawful deportation by the Government extremely difficult. Open Rights Group and campaigners for EU citizens’ rights (the3million) are preparing to challenge this exemption in court. (More here.)

References: The DPA 1998 contained an exemption from the right of subject access for confidential references about a Data Subject given by, amongst others, an employer. However no such exemption applied to a request made for the same reference to a prospective employer. Thus employees could still see what their employer had written about them and challenge it.

Paragraph 24 of Schedule 2 of the new Act has undergone a fundamental change since the Bill stage. It now allows confidential references to be kept secret in all circumstances not just in the hands of the employer/giver of the reference. It also gives an exemption from the right to be informed under Article 13 and 14 of GDPR i.e. the need to mention it in a privacy notice.

This new blanket exemption (which now incudes volunteering) takes away important rights of employees and volunteers. It should concern everyone, not just the unions, especially as it was passed without any debate or discussion.

Legal Professional Privilege: Paragraph 19 of Schedule 2 of the Act contains an exemption for personal data that consists of legally privileged information (LPP). It is similar to the one contained in the DPA 1998 but slightly broader in that it also covers personal data which is subject to a duty of confidentially owed by a professional legal adviser not just that information covered by LPP. The latter will apply to a much narrower range of information than the former. This exemption allows lawyers to refuse subject access requests and disregard the duty to inform (Article 13 and 14 of GDPR).

Barristers have warned that the Act could hand ‘big brother powers’ to the Information Commissioner’s Office (ICO) by granting it access to privileged material without client consent and subsequently disclosing it. However Section 132 of the Act (Confidentiality of Information) seems to guard against this. 

Freedom of Information

Part 1 of Schedule 19 of the Act amends the personal data exemption/exception under section 40 of the Freedom of Information Act 2000(FOI) and Regulation 13 of the Environmental Information Regulations 2004 (as well as the equivalent Scottish legislation). These are consequential amendments designed to ensure that the correct provisions of the GDPR and the new Act are referenced instead of the now repealed DPA 1998. They will not fundamentally impact when personal data can, and cannot, be disclosed in response to an FOI or EIR request.

Public Authorities

GDPR mentions public authorities in a number of places e.g. when stipulating who needs to appoint a Data Protection Officer in Article 37. Furthermore the ‘legitimate interests’ condition (Article 6(1)(f)) cannot be relied upon to justify data processing by public authorities in the performance of their public tasks. Section 7 of the Act defines ‘public authority’ as any organisation that is covered by FOI (or its equivalent in Scotland) as well as bodies specified by the Secretary of State. Certain bodies, pursuant to section 7(3), despite being subject to FOI, will not be deemed public authorities for GDPR purposes. Most notably this includes parish councils. Consequently parish councils do not need to appoint a DPO and can rely on the legitimate interests condition without restriction.

Criminal Offences

The Act creates two new criminal offences. Clause 171 makes it an offence for a person knowingly or recklessly to re-identify information that is de-identified personal data without the consent of the Data Controller responsible for de-identifying the personal data. Offenders will be liable on summary conviction or on conviction on indictment, to a fine.

Clause 173 makes it an offence for the Data Controller or a person employed by it to alter, deface, block, erase, destroy or conceal information with the intention of preventing disclosure of information that a Data Subject enforcing his/her rights would have been entitled to receive. Offenders will be liable on summary conviction to a fine. This is similar to the offence under S.77 of the Freedom of Information Act (FOI).

The offence under section 55 of the DPA 1998 is now to be found in Section 170 of the new Act; obtaining or disclosing personal data without the consent of the Data Controller and procuring a disclosure to another person. It is extended to include retaining personal data after obtaining data it, without the consent of the Data Controller.

Complaints

Section 165 sets out what individuals can expect if they submit a complaint to the ICO about the way their personal data has been procesed under GDPR.  Clause 166 sets out a mechanism for a complaint to the Tribunal if the ICO fails to address it adequately.The ICO is currently consulting on its Draft Regulatory Action Policy.

Compensation

Article 82 of GDPR states that any person who has suffered material or non-material damage as a result of an infringement of GDPR shall have the right to receive compensation from the Data Controller or Data Processor for the damage suffered. Section 169 of the Act explains that damage includes financial loss and damage not involving financial loss, such as distress. This is in marked contrast to the DPA 1998 which only allowed compensation for distress where it was linked to damage; although the Court of Appeal decision in Vidal-Hall v Google [2015] EWCA Civ 311 allowed claims for distress alone.

Notification and Fees

Under the DPA 1998 most Data Controllers had an obligation to register with the ICO (known as Notification). There is no such requirement in GDPR. However, as predicted on this blog last year, the Government has introduced a new charging structure for Data Controllers to ensure the continued funding of the ICO. The Data Protection (Charges and Information) Regulations 2018 also came into force on 25thMay 2018 and imposes different levels of fees depending the size of the Data Controller. Data Processors do not have to pay any fee to the ICO but then many will be Data Controllers in their own right.

The new regulations are made under a power contained in the Digital Economy Act 2017 (which is itself a controversial piece of legislation due to the wide ranging provisions about data sharing.) The ICO website has more details to help Data Controllers work out what fee is payable (See also our blog post here.)

Section 137 of the new Act goes further in that it allows regulations to be made which require Data Controllers to pay further charges regardless of whether the Commissioner has provided, or proposes to provide, a service to Controllers.

It’s never too late to put steps in place to comply with the DPA 2018 and GDPR. The Information Commissioner writes in her recent blog:

“The creation of the Data Protection Act 2018 is not an end point, it’s just the beginning, in the same way that preparations for the GDPR don’t end on 25 May 2018. From this date, we’ll be enforcing the GDPR and the new Act but we all know that effective data protection requires clear evidence of commitment and ongoing effort.”

We are running DPA 2018 workshops throughout the UK. If you want a brief summary, Ibrahim is doing a webinar next week.

Our ever popular GDPR Practitioner Certificate has availability in Leeds starting on 9th July. Book now.

Need to train frontline staff quickly? Try our GDPR e learning course . Our next two GDPR Practitioner Certificate courses are fully booked!

Posted in DP ACT 2018, DP Bill, GDPR | Tagged , , | 2 Comments

The New UK Data Protection Regime

canstockphoto6710719

A new dawn broke today for the UK’s data protection regime. The Data Protection Act 1998 is no more. The Data Protection Act 2018came into force today, alongside the General Data Protection Regulation (GDPR). We have been hearing about GDPR but what does the new Act do?

The DPA 2018 does not, contrary what many commentators have been writing, incorporate or enshrine GDPR into UK law. GDPR is a Regulation and so directly applicable across the EU. It does not need to be “signed into British law” whilst the UK remains a member of the European Union. Post Brexit it will still be the law (until the Government decides to replace it) due to the provisions of the European Union (Withdrawal) Bill.

So what are the aims of the DPA 2018? The Information Commissioner says in her recent blog:

“The new Act updates data protection laws in the UK, and sits alongside the General Data Protection Regulation (GDPR) which is also due to take effect in two days’ time. The Act implements the EU Law Enforcement Directive, as well as extending domestic data protection laws to areas which are not covered by the GDPR.”

Chapter 2 of Part 2 of the Act supplements the GDPR i.e. it fills in some of the gaps in GDPR – what are known as “derogations”; where Members states are allowed to make their own rules e.g. about exemptions and children’s’ consent.

But the new Act does more than this; hence it’s length (339 pages).

Chapter 3 of Part 2 applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply. For example, where personal data processing is related to immigration and to manual unstructured data (held by a public authority covered by the Freedom of Information Act 2000 (FOI)). The Act applies GDPR standards to such data whilst adjusting those that would not work in the national context.

Part 3 of the Act regulates the processing of personal data for law enforcement purposes implementing the Law Enforcement Directive (EU) 2016/680. The provisions here are a cut down version of GDPR. This part will only apply to competent authorities i.e. those that process personal data for the purposes of criminal offences or threats to public security e.g. the police, trading standards departments etc.

Part 4 of the Act makes provisions about the processing of personal data by the Intelligence Services. National security is also outside the scope of EU law. The Government has though decided that it is important the Intelligence Services are required to comply with internationally recognised data protection standards as set out in GDPR.

Parts 5 and 6 make provisions about the Information Commissioner and the enforcement of the data protection legislation. She consulted recently on her regulatory action policy (https://t.co/SOeM41D0UD). 

Going back to Chapter 2 of Part 2 of the Act; remember this has to be read alongside the GDPR to make full sense of the latter. In most part this remains the same as the original draft bill. (Read a summary of the Bill here.)

The Information Commissioner says on her blog:

“The creation of the Data Protection Act 2018 is not an end point, it’s just the beginning, in the same way that preparations for the GDPR don’t end on 25 May 2018. From this date, we’ll be enforcing the GDPR and the new Act but we all know that effective data protection requires clear evidence of commitment and ongoing effort.”

 It’s never too late to put steps in place to comply with the DPA 2018 and GDPR. We are of course talking about positive steps, not sending out this pesky GDPR consent e-mails! See our action plan.

We are running DPA 2018 workshopsthroughout the UK. If you want a brief summary, Ibrahim is doing a webinar.

We have just launched our GDPR helpline.

Posted in DP ACT 2018, GDPR | Leave a comment