Data Protection, the DPA and the EU GDPR
The UK’s DPA 2018 (Data Protection Act 2018) supplements the EU’s GDPR (General Data Protection Regulation) by filling in sections of the Regulation that are left to individual member states to interpret and implement.
The DPA 2018 also applies “a broadly equivalent regime” – which it calls “the applied GDPR” – to certain types of personal data processing that fall outside the GDPR’s scope. These include processing for law enforcement purposes and processing by public authorities.
Because the DPA 2018 supports the GDPR rather than enacting it, the two laws should be read together.
Click here for more about the GDPR >>
A brief history of data protection law in the UK
The Data Protection Directive 1995 and the DPA 1998
The DPA 1998 enacted the provisions of the EU’s Data Protection Directive 1995 (Directive 95/46/EC) in the UK.
Among other stipulations, it set out eight data protection principles to ensure that personal data was:
- Processed fairly and lawfully.
- Obtained and processed only for specific and specified purposes.
- Adequate, relevant and not excessive.
- Accurate and up to date.
- Not retained for longer than necessary.
- Processed in accordance with the individual’s rights.
- Held with appropriate levels of security.
- Not transferred outside the EEA (European Economic Area) without adequate levels of legal protection.
Organisations found to be in breach of the DPA 1998 could be fined up to £500,000 by the ICO (Information Commissioner’s Office).
The Data Protection Directive 1995 and all local laws derived from it, including the DPA 1998, have now been superseded by the GDPR.
The GDPR and the DPA 2018
Originally proposed by the European Commission in January 2012, the GDPR (Regulation (EU) 2016/679) was adopted by the European Parliament in April 2016, published in the Official Journal of the European Union on 4 May 2016 and entered into force on 24 May 2016. Following a two-year transition period, it has been enforced in all 28 EU member states since 25 May 2018.
In the UK, a new Data Protection Act was also enacted in May 2018 to supplement the GDPR by filling in sections of the Regulation that are left to individual member states to interpret and implement, and applying its provisions – or at least a “broadly similar regime” – to certain areas outside the GDPR’s scope.
Under the GDPR, data subjects also have the right to lodge a complaint with the supervisory authority (the ICO) if they consider that the processing of their personal data infringes the Regulation, and the right to an effective judicial remedy against data controllers and processors if they consider their rights to have been infringed by processing that does not comply with the Regulation.
On top of this, the ICO has the power to “impose a temporary or definitive limitation including a ban on processing” (Article 58(2f) of the GDPR) – i.e. it can effectively shut organisations down altogether.
Both the GDPR and the DPA 2018 are backed by a regime of considerably higher penalties than the DPA 1998, with administrative fines of up to €20 million (about £17.5 million) or 4% of annual global turnover – whichever is greater.
Click here for more information about the GDPR and the DPA 2018 >>
The PECR and the ePR
The ePrivacy Regulation or ePR (Regulation on Privacy and Electronic Communications ) is set to replace the 2002 ePrivacy Directive and all member state laws that enforce it, including the UK’s PECR. It was originally intended to come into effect alongside the GDPR on 25 May 2018, but is now tentatively scheduled to apply from 2019.
The ePR is broader in scope, and aims to ensure stronger privacy in all electronic communications – including OTT (over-the-top) service providers such as instant messaging apps and VoIP (Voice over Internet Protocol) platforms, and machine-to-machine communications such as the IoT (Internet of Things).
Click here for more information about the ePR >>
The difference between EU regulations and directives
The EU has two types of legal instruments that are used to regulate business: directives and regulations.
- Directives set minimum standards and parameters for the EU, but leave the actual implementation down to the states themselves. When a directive is passed, the EU sets a deadline by which every member state must have put the directive into force, whether by law, regulation or other initiative.
- Regulations, on the other hand, apply across the EU with the same authority as if they were local laws. The ePR and the GDPR fall into this category. Member states may choose to pass their own laws to implement a regulation (often because the regulation requires each state to define some detail individually), but the regulation will apply regardless.
The future: Brexit, cross-border data transfers and adequacy
The DPA 2018 sits alongside the GDPR, and both laws apply directly in the UK. When the UK leaves the EU on 29 March 2019, however, the GDPR will no longer directly apply, as it is an EU regulation.
In order for cross-border transfers to continue, the European Commission will need to determine that the UK, as a third country, offers personal data an acceptable level of protection via an adequacy decision as per Article 45 of the GDPR.
As of July 2018, the European Commission has adopted 12 adequacy decisions: with Andorra, Argentina, Canada (for transfers to commercial organisations that are subject to the PIPEDA (Personal Information Protection and Electronic Documents Act)), the Faroe Islands, Guernsey, Israel, the Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and the US (for companies certified under the EU-US Privacy Shield). Talks with Japan and South Korea are ongoing.
There is significant time pressure for the UK: the last third country to strike such a deal was New Zealand, and that process took about four years.
The UK hopes that, by enacting the GDPR in domestic law by the European Union (Withdrawal) Bill, it will be able to demonstrate that the required standards are maintained, and personal data will be able to be transferred to and from the EU unhindered.
Until an adequacy decision is reached, organisations in the UK will have to rely on binding corporate rules, standard contractual clauses or approved codes of conduct to transfer data to and from the EEA.