What is made in Europe but will apply even after Brexit; GDPR in force now but not in effect until May 2018; and likely to create a new branch of the legal profession and a new arm of corporate governance? Answer: the General Data Protection Regulation.
The General Data Protection Regulation (2016/679[1]) (the “GDPR”) is a new European regulation which came into force on 25th May 2016 although it does not come into effect until 25th May 2018. The regulation, which by its nature is directly effective and does not require any national legislation to become law, repeals and replaces the Data Protection Directive (95/46/EC[2]).
What is the GDPR?
In so doing, the GDPR significantly strengthens European law concerning the protection of personal information. It does this by strengthening and transforming the role of the Data Protection Officer (“DPO”) and by significantly enhancing controls on data processing, consent and transfer of any personal data. It does this by mandating the appointment of a DPO in circumstances which were optional under the Directive and, in effect, creating a new statutory role within a company. In order to add teeth to the Tiger, fines for breach can be up to €20,000,000 or 4% of worldwide turnover, whichever is the higher. These are real teeth.
What about Brexit?
The regulation applies to the processing of personal data “of data subjects who are in the [European] Union” or “in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the [European] Union or not.” The term “processing” also encompasses “monitoring” of the behavior of a data subject within the European Union.
There is a third category which applies to “the processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.” This might include, on a case by case basis, overseas territories of European countries such as (and not limited to) Guadaloupe.
The word “citizen” does not appear in the regulations at all. The regulation applies to any processing of personal data of anyone “in the Union”. This includes non-European citizens who are from time to time in the European Union, such as UK nationals who occasionally go there on holiday. It is submitted that even if a UK company post-Brexit does all of its processing and storage in the UK (which for many multi-nationals will be hard to do) it will be caught by the regulations if any of its customers go to Europe for any reason. It will, therefore, not be affected by Brexit. Worse for the British Government, as the UK has indicated that it will make use of all available derogations from the Regulation, the position may change once the UK is no longer in the European Union as derogations are stated to be only available to the Member States. The derogations relied upon may, therefore, fall away leaving UK businesses exposed to the full regulation.
The regulation effectively provides for an extra-territorial jurisdiction for European Law.
When is it in force?
The GDPR was published in the Journal of the European Union on 27th April 2016 and came into force 20 days afterward, being 25th May 2016. It becomes applicable on 25th May 2018. On 25th May 2018 Directive 95/46 EC, the existing Data Protection Directive is repealed along with all subordinate legislation that flows from it including the existing adequacy decisions covering the transfer of data to non-EU countries..
In effect, there is now just over a month for companies and organisations affected by the Regulation to get their houses in order. This will include identifying their uses of personal data and whether and to what extent they are affected by the Regulation, appointing the necessary officers and obtaining the necessary consents from data subjects.
The DPO
Not every company or organisation will require a DPO. However, for those who do require one, the role is now significantly enhanced from that which existed under the previous legal framework.
The regulation sets out the key role and responsibilities of the DPO in fairly broad terms, as is typical of European legislation. However, the way that this is done has potentially far-reaching effect: The DPO must report at the highest level of the company (the Board in most UK companies), must be skilled in Data Protection Law and in Information Technology; the DPO cannot be told what to do by anyone in the Company insofar as performing his role as DPO is concerned; and the DPO cannot be disciplined for performing his role as DPO. He, therefore, becomes at the same time arguably the most powerful person in the Company and the one subject to the least control by the Company. He has a statutory role although he does not have to be an employee. This is a real and significant change.
The DPO might, you might think, be a legal professional. He certainly has to be a professional. However, the role of DPO intrinsically raises conflicts with the role of in-house counsel and so has, it is argued, to be a separate person. Second, how many lawyers do you know who are at the same time experts in a particular field and experts or at least competently knowledgeable in information technology. Not many I suspect.
The DPO should be, impliedly from the wording of the regulation, subject to professional accreditation and the highest professional standards in performing his role. It is suggested that none of the existing branches of legal professional are regulated by regulators competent to manage professionals in two fields simultaneously. The DPO will be neither a solicitor, nor a barrister, nor a legal executive, nor a notary public. He will, it is suggested, fall into a fifth, currently, unregulated, branch of the legal profession, one whose yet to be identified regulator will need to consider carefully the DPO’s professional competencies and obligations in areas of information law and information processing.
It may be that the creation of this new branch of the profession, if it happens, may benefit Universities which are currently pouring law graduates into a sea surrounded by rocks and lacking in opportunity, encouraging them to point their students in a new direction. It has been suggested that around 30,000[3] will be needed in UK alone which is a “guesstimate” dependent on a number of factors (and maybe a gross over-estimate).
Those selected to have both the skills and competencies required to practice in a methodical and detailed legal field and to learn and deploy their skills in information and data processing might well find that this leads to a productive future. As a new branch of the legal profession, indeed as a new profession, the DPO will not need to be subjected to the arcane jumping through burning hoops that would-be solicitors and barristers have to go through in order to find the ever and increasingly illusive training contract or pupillage before they can even hope to consider their future.
Conclusion
The GDPR is with us now and will be with us beyond Brexit. The regulations are far-reaching and have real teeth. The role of the DPO is expanded and enhanced and a good deal of work needs to be done by companies which handle personal data to ensure compliance in advance of 25th May 2018. If you have not yet considered these issues for your business you should take advice sooner rather than later.
This article is an updated version of an article which first appeared in the Invictus Chambers “blog” in Spring 2017.
[1] http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&qid=1486048653634&from=en
[2] http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:31995L0046
[3] Informal communication.
About the Author
