By far the most significant developments this month surround data protection and privacy. On 25 May 2018, the General Data Protection Regulation ((EU) 2016/679) (GDPR) will become directly applicable in all EU member states.
GDPR becomes directly applicable in all EU member states
The General Data Protection Regulation ((EU) 2016/679) (GDPR) will become directly applicable in all EU member states on 25 May 2018. The GDPR introduces a raft of new data subject rights and a considerably stricter compliance regime, including substantial documentation requirements and 72 hour mandatory breach reporting, among many other things. It will also have extraterritorial effect.
The GDPR will introduce greater enforcement powers for national data protection authorities, including the power to levy significant fines on data controllers and data processors for failing to comply with the GDPR. The maximum fines in the UK will be increased from £500,000 to up to the higher of €20 million or 4% of the total worldwide annual turnover of the organisation.
In addition to increased fines, the GDPR significantly extends the other potential ramifications of a breach that already existed under the Data Protection Directive (95/46/EC), which the GDPR replaces, including:
- Adverse publicity, potentially leading to reputational damage and lost customer trust.
- Civil actions (including class actions) bought by data subjects where they have suffered material or non-material loss (including distress) and associated costs and expenses.
- Personal criminal liability for directors and senior managers.
- Civil liability or punitive damages for breaches of employment laws.
Although many organisations have been preparing for the GDPR for years, others are still working towards the deadline. Nearly a quarter of respondents to our GDPR compliance survey report were not confident of complying by 25 May 2018, with a substantial number blaming lack of management buy-in. For an overview of Key GDPR content and compliance resources on Practical Law, see our In-house GDPR toolkit.
One key area of keen interest has been the changes around consent. On 13 and 16 April 2018, the Article 29 Working Party (WP29) published final versions of its guidelines on consent and transparency under the GDPR, which should allow the Information Commissioner’s Office (ICO) to finalise its draft guidance on consent shortly.
Government confirms delay to draft E-Privacy Regulation
The original (and ambitious) proposal was that the EU’s draft E-Privacy Regulation would apply from the same day as the GDPR, giving businesses a complete and consistent new compliance framework for both data protection and privacy across the EU. The draft Regulation provides for various enhanced privacy measures, including in relation to user consent, confidentiality of electronic communications, website cookies and unsolicited electronic communications. It also introduces an enforcement regime aligning with the GDPR, including significant fines for breaches.
However, a delay in negotiations has meant that the E-Privacy Regulation will not meet the 25 May 2018 deadline. In the meantime, the ICO has confirmed that the Privacy and Electronic Communications (EC Directive) Regulations 2003 (as amended) (PECR) with still apply. The ICO is updating its guidance and codes of practice to reflect the relationship between the GDPR and other laws, including PECR.
Deadline for action on the EU-US Privacy Shield
In December 2017, the WP29 published its first annual joint report on the EU-US Privacy Shield in which it called on the European Commission and US authorities to restart discussions. The report prioritised the appointment of an ombudsperson and clarification of their rules of procedure, and the filling of vacancies on the Privacy and Civil Liberties Oversight Board by 25 May 2018. Failure to resolve these concerns by this date could result in WP29 taking the Privacy Shield adequacy decision to national courts for them to make a reference to the ECJ for a preliminary ruling.
Network and Information Systems Regulations 2018 come into effect
The Network and Information Systems Regulations 2018 come into effect on 10 May 2018 pursuant to the EU Cybersecurity Directive ((EU) 2016/1148) (also known as the Network and Information Security Directive or NIS Directive). The Regulations impose security and incident reporting requirements on operators of essential services and digital service providers.
FRC events on corporate governance reform for large private companies announced
In 2017, the government announced its intention to introduce a new corporate governance reporting requirement for large private companies. The Financial Reporting Council (FRC) has organised three events in May and June that will focus on the development of the voluntary corporate governance principles for large private companies ahead of the proposed consultation to be launched in June 2018.
On 17 April 2018, the government launched an independent review of the FRC, which will be led by Sir John Kingman. The review will assess the FRC’s governance, impact and powers, to help ensure it is fit for the future, and is expected to be completed by the end of 2018.
The House of Commons’ Business, Energy and Industrial Strategy Select Committee has launched an inquiry into aspects of pay in the private sector and invited written submissions. The Committee asks what improvements have been made to executive pay reporting and what steps have been taken by remuneration committees and institutional investors to combat excessive executive pay in the past 12 months. Evidence on executive pay is invited by 8 May 2018, with a hearing scheduled for 16 May 2018.
Supreme Court to rule on gay marriage cake case
The UK Supreme Court is set to rule on the gay marriage cake case (Lee v McArthur and Ashers Baking Company Ltd [2016] NICA 55) on 1 May 2018. The Northern Ireland Court of Appeal had previously refused leave to appeal against its judgment in the case, along with barring the Advocate General’s attempt to refer the devolution issue raised in the proceedings to the Supreme Court.
The Court of Appeal had upheld a County Court decision that a “Christian business” bakery had directly discriminated against a gay man on the grounds of his sexual orientation by refusing to bake him a cake with the caption “Support Gay Marriage”, contrary to the Equality Act (Sexual Orientation) Regulations (Northern Ireland) 2006 (SI 2006/439).
Feedback requested on proposed European Commission Directive to protect EU whistleblowers
On 23 April 2018, the European Commission adopted a package of measures, including a draft Directive and a Communication, to protect whistleblowers reporting breaches of EU law. The proposed new Directive will set minimum standards guaranteeing protection for whistleblowers who report breaches of a wide range of EU laws, including those relating to financial services, environmental protection, consumer protection, product and transport safety, data protection and privacy, as well as competition law and corporate tax (including VAT) rules.
The Commission has invited feedback on the proposal via its Have Your Say website. The initial deadline is 20 June 2018, but the feedback period will be extended so that it ends eight weeks after the proposal is made available in all EU languages (initially it is only available in English).