To date, the main legacy of the Brexit referendum of 2016 appears to be a country split in half: some badly wish the UK would continue to be a member of the EU and some are equally keen on making a move. Yet, there seems to be at least one thing on which Remainers and Leavers will agree: nobody knows exactly what is going to happen. The same is true of the effect of Brexit on UK data protection. However, as Brexit day approaches, it is becoming imperative for those with responsibility for data protection compliance to make some crucial strategic decisions. To help with that process, here are some pointers about what we know and what we don’t know.
The Internet Newsletter for Lawyers is edited by Nick Holmes and Delia Venables
“So, have I missed the boat to get ready for the GDPR?” “Will I get fined for not being fully up to speed?” “What is the worst thing that can happen if I am not complying by May 2018?” These are some of the most frequently asked questions currently accompanying the efforts (or lack of them) to prepare for the GDPR.
The GDPR is an ambitious, complex and strict law that will transform the way personal information is collected, shared and used globally. The organisational changes required to comply with this framework will be substantial and the potential consequences of not doing things properly can be severe. Therefore, it is not surprising that the climate around the GDPR and its compliance requirements is one of panic.
After all of the 2016 drama, the start of a brand new year is a welcome development in itself – a clean sheet for a script yet to be written. However, 2017 will not be without challenges and the same applies to the world of privacy and data protection. Many of the big issues that arose during 2016 will need to be addressed in 2017. New questions will no doubt emerge.
For decades, overcoming the limitations of European data protection law to transfer personal data to countries outside the European Union has been a compliance priority for organisations operating internationally. Global data flows are part of the fabric of modern communications and everyday commercial and social interactions. This is especially true of the transatlantic relations between the European Union and the United States. However, countries such as the US that approach the regulation of personal data privacy from a different perspective than countries in Europe face a tough challenge when trying to demonstrate an adequate level of protection according to the European standard.
On 6 October 2015, the Court of Justice of the European Union (CJEU) declared the EU–US Safe Harbor framework invalid as a mechanism to legitimise transfers of personal data from the EU to the US. This decision effectively leaves any organisation that relied on Safe Harbor exposed to claims that such data transfers are unlawful and could have serious implications for transfers of personal data both within multinationals and to global service providers.
Safe Harbor was jointly devised by the European Commission and the US Department of Commerce as a framework that would allow US-based organisations to overcome the restrictions on transfers of personal data from the EU. However, since its adoption, Safe Harbor was fraught with challenges. Although the data protection requirements set out in the Safe Harbor Privacy Principles were meant to match the standards of protection of European law, its self-certification nature and the non-European style of its provisions have attracted much criticism over the years. In particular, the revelations triggered by Edward Snowden in 2013 about the US intelligence surveillance operations led the European Parliament to adopt a resolution seeking its immediate suspension. The European Commission had no choice but to reopen the dialogue with the US government to find a way of strengthening the framework and restoring its credibility.
In recent years, privacy and data protection have become business critical issues whose significance is only set to increase. Due to the combined effect of three factors – the evolution of technology, the realisation of the strategic and commercial value of personal data, and the globalisation of data-reliant activities – we find ourselves at a crucial crossroads. The implications of devising an effective legal framework to regulate the use of personal information are crucial for the future of humanity, our freedoms and our economic wellbeing.
A key functionality of social networking services is the ability of the user to “import” the contact details of existing friends and acquaintances. This functionality is a simple technological solution that relies on the sharing of personal information – which is what online networking is all about – so it is essential to know how to make the most of it in a non-intrusive and responsible way.
It is sometimes difficult to comprehend how, in the not too distant past, anyone could book a hotel without looking at TripAdvisor or could invite someone out for lunch without checking a user review published in Toptable or london- eating. Today, we rely on the collective wisdom of total strangers (although not necessarily to the operator of the website) to make important decisions like where to stay during a holiday abroad or where to take a key client for lunch. This is the spirit of Web 2.0 – the latest reincarnation of e-business and one that is proving very rewarding for a new breed of hugely popular websites.
- CPD and continuing competence for 2018 – do it online now!
- Copyright and the blockchain
- What is legal design?
- The case for offering free legal advice – in 2018
- Open data: free to use and republish
- Why have multiple websites?
- Government surveillance
- Publications and blogs
- Delia’s legal web picks September 2018
- Becoming a highly successful small law firm
- Latest articles feed
- PDFs of the Newsletter
- Legal Web Watch