In 2016 the General Data Protection Regulation (GDPR) became EU law, giving businesses throughout the EU and beyond two years to comply or face substantial fines of upwards of €10m. However, since April 2016 there have been several seismic shifts in the global political and economic landscape, leading to complications regarding what is required of businesses over the coming months. Dani breaks it down.
In our whitepaper ‘Technology Predictions 2017’ we discussed the importance of UK businesses familiarising themselves with the legislation and becoming compliant as, despite the vote to Brexit in June 2016, any UK business handling EU citizens’ data or operating within the EU is liable to the laws stipulated in the GDPR.
Data protection law – what you need to know
Investigatory Powers Act
Following Brexit and the subsequent nomination of our new Prime Minister Theresa May, we have seen the passing of the Investigatory Powers Act; alternatively known as the Snooper’s Charter. Aspects of the Act could have the potential to cause complications for businesses working towards GDPR compliance.
The Act updates the UK’s existing surveillance legislation and introduces a number of new powers. Most significantly the law provides the government with the ability to intercept communications and acquire and retain bulk datasets.
This is in contrast to the GDPR, which states a data subject must actively give consent for their personal data to be processed, and data controllers must provide an accessible and detailed record of how data is used, where and by whom.
It remains to be seen how this potential conflict will be resolved by the UK Government.
Privacy Shield was introduced in February 2016 to replace Safe Harbour; the data protection principle set up to allow unhindered data transfer between the EU and the US that was declared invalid by the European Court of Justice in October 2015.
A driving force behind the invalidation of Safe Harbour and the need for a revised legislation, was EU concern over the bulk collection of the personal data of EU citizens by US state surveillance services such as the NSA. Privacy Shield (as part of the larger Umbrella Agreement between the US and EU,) affords EU citizens the right to seek judicial review in the event of a US law enforcement agency unlawfully disclosing their personal identifiable information.
Previously, this right had been afforded to US citizens under the Privacy Act 1974 but did not extend to EU citizens. The EU rejected any version of an agreement with the US until such protections applied to its citizens and this fed into the final Privacy Shield framework.
However, just days after President Trump took office in the Whitehouse – the following amendments were made to the US’s 1974 Privacy Act by the Trump administration:
‘Sec 14 Privacy Act. Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not US citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information.’
While the exact implications on EU and UK businesses is yet to be clarified, the Judicial Redress Act – which paved the way for Privacy Shield by guaranteeing the high-level protection of personal data, regardless of nationality, when transferred across the Atlantic for law enforcement purposes – should continue to protect EU citizens.