It's been quite a year for data privacy with the General Data Protection Regulation finally coming into effect in May, a mere six years after it was originally published. A raft of Member State legislation and guidance has followed. You can read more about that and other data privacy developments in full on our Global Data Hub, but here are the UK and EU highlights of 2018, in addition to the GDPR itself.

GDPR guidance

With the GDPR has come guidance from regulators. We have focused on ICO guidance and on guidance produced by the Article 29 Working Party (WP29), now the European Data Protection Board (EDPB).

In January we looked at draft WP29 guidance on consent which was finalised in May alongside consent guidance from the ICO. In March, we looked at WP29 guidance on breach notification, fines and profiling. In April, we looked at ICO guidance on legitimate interests and draft guidance on DPIAs. Finally, in November we covered the ICO guidance on encryption and passwords. Again, you can read that and other coverage on GDPR guidance on the Global Data Hub.

Data Protection Act 2018

The GDPR was intended to be the last word in EU data protection law, but agreement could not be reached on all provisions and it was eventually accepted that Member States would have scope to depart from the GDPR and introduce their own provisions in some areas.

Member States were also required to produce implementing legislation for the Law Enforcement Directive (which deals with the use of personal data by law enforcement agencies).

The Data Protection Act 2018:

• ‍Repeals and replaces the Data Protection Act 1998.
• ‍Incorporates the GDPR into UK law and applies GDPR standards to areas not covered by EU data protection law.
• ‍Lays the ground for free flow of data between the UK and the EU after Brexit.
• ‍Sets out permitted derogations under the GDPR.
• Implements the Law Enforcement Directive.
• ‍Provides a framework for data protection for the Intelligence Services.
• ‍Sets out the duties and powers of the UK's ICO.
• ‍Sets out enforcement provisions.

Read more here.

The UK data registration fee

As we reported in March, while the GDPR did away with an annual notification requirement, it also increased the tasks which need to be carried out by Supervisory Authorities, all the while, removing the income they receive from notification fees. Recognising the need for increased revenue, the UK government introduced a new annual data protection fee to replace the defunct notification fee.

The fee ranges from £40-£2,900. The ICO has set up a self-assessment tool to help organisations work out whether and what they need to pay. So far, the ICO has fined 100 organisations for failing to register and is preparing to fine a further 900 so this needs to be taken seriously.

ePrivacy and unsolicited direct marketing

ePrivacy rules govern the sending of electronic marketing communications and the use of cookies (among other things). The European Commission published a proposal for an ePrivacy Regulation (Regulation) to overhaul the ePrivacy Directive and harmonise application across the EU as part of its Digital Single Market initiative. The initial intention was for the Regulation to come into effect at the same time as the General Data Protection Regulation (GDPR) on 25 May 2018, but this always looked ambitious and it now seems likely that the Regulation will not be finalised before the European elections in May 2019.

As the draft Regulation has progressed through the legislative process, it appears to have been considerably watered down in terms of capturing consent to cookies. It may also fail to have the feared impact on direct marketing communications. While we don't yet know where it will end up, it is possible that the greatest impact on direct marketing has already been felt through the new definition of consent in the GDPR which already applies. Read more about the progress of the Regulation.

Meanwhile, the UK's ICO has continued the battle against unsolicited direct marketing. In October alone, it issued £310,000 in fines and had 103 cases under investigation.

The ICO's efforts have been supported by legislative initiatives. The government has laid draft Regulations before Parliament to amend PECR and give the ICO increased powers to impose direct fines of up to £500,000 on rogue individual directors. Directors will be personally liable for PECR breaches relating to the use of automated calling systems and unsolicited direct marketing where they have consented to or connived in the breach, or the breach is attributable to their neglect. The Regulations came into force on 17 December 2018.

PECR was also amended by s35 Financial Guidance and Claims Act 2018, in relation to calls for direct marketing by claims management services which, since 8 September 2018, can only be made where the customer has opted in to receiving such calls. Similar measures for calls relating to pensions cold calling are planned. In both cases, there will be fines of up to £500,000 for non-compliance.

Data exports

Scrutiny of the EU-US Privacy Shield has continued this year, with the European Parliament calling repeatedly for its suspension. The second annual review has just taken place (results were expected in November but had not been published at the time of writing). The US has recently taken steps to address some of the EU's concerns from the first annual review, including appointing three members to the Privacy and Civil Liberties Oversight Board and naming Manisha Singh as the Privacy Shield Ombudsperson. Other recommended actions included more proactive monitoring of compliance, and a promotion of the citizens' rights protected by the Privacy Shield. It remains to be seen whether sufficient steps have now been taken to avoid suspension.

As we discussed on Global Data Hub, Standard Contractual Clauses are also under the spotlight as another Schrems case makes its way to the CJEU. The CJEU is considering questions made in a reference by the Irish High Court around the validity of Adequacy Decisions which allow the use of EC Standard Contractual Clauses as a lawful basis for personal data transfers between the EU and the USA. This puts standard contractual clauses (SCCs) at risk of ceasing to be a lawful data transfer tool for EU-US data flows which would be a serious blow.

Separately, Japan is close to getting an Adequacy Decision which would allow the free flow of personal data between the EEA and Japan.

Brexit

As everyone knows, the situation with Brexit remains extremely unclear. Some comfort can be drawn from the high profile given to maintaining the free flow of personal data between the EU and the UK after Brexit in the Political Declaration on the future relationship (even if that fails to survive). The Political Declaration stresses the UK's commitment to a high level of personal data protection. The EU will aim to adopt an Adequacy Decision by the end of 2020 and in the same time frame, the UK will take comparable steps to facilitate personal data flows to the EU. We have known for some time that the EU would not begin adequacy discussions until after exit, but it is reassuring to learn the UK is unlikely to go to the back of the adequacy queue.

Having said that, the Brexit process is in turmoil and we are facing a real possibility of a no deal Brexit. In that situation, the UK has said that it will not (in the short to medium term) do anything to restrict the flow of personal data between the UK and the EEA. Businesses relying on the free flow of data between the EEA and the UK, may, however, soon need to consider entering into Standard Contractual Clauses to ensure data flows are not interrupted. Read more here.

EU Regulation for the free flow of non-personal data

Described by the EU as the 'fifth freedom', this Regulation has just been passed and will prevent unjustified data localisation requirements. It comes into effect in six months' time.