The second thing which didn’t happen whilst I was on maternity leave: The new EU ePrivacy Regulation wasn’t finalised. The new Regulation is due to replace the EU ePrivacy Directive and the UK’s current ePrivacy Regulations (commonly referred to as ‘PECR’).
Since my previous update from 2018: The GDPR is here! What now?, the UK Information Commissioner’s Office (ICO) and the EU European Data Protection Board (EDPB) have continued to publish new and updated guidance on the GDPR and UK Data Protection Act 2018. The EDPB has also provided its first Opinions. This article provides an overview on some key topics.
When I started my "10 things that happened…" series I decided that an update on social media legal issues would be interesting. Since then, I keep on discovering more and more publications and cases which I want to read and discuss. So there is a bit of a mixture in this article – a few top choices from my research.
The first of my two things that didn’t happen: Brexit. At least not yet. As with many other aspects of Brexit, it is difficult to plan ahead properly on legal issues without certainty on what is going to happen and when. Deal or no deal? Customs Union? Single Market? Or maybe we won’t leave at all… Legal concerns may be hugely different depending on the type of Brexit and when (or if) it happens.
Recent court judgments have some important conclusions relating to subject access requests (SARs) and, in particular, personal data relating to third party individuals. The relevant law for these cases is the Data Protection Act 1998. Similar principles will apply to equivalent rules under the GDPR and Data Protection Act 2018, though I have also raised some important differences in my article.
On 23 January 2019, Japan was recognised by the EU Commission as having sufficient data protection laws for the purposes of data transfers. This means that personal data can be transferred from the EU to Japan without the need for additional measures under Chapter V of the GDPR (though note that all the other requirements of the GDPR still need to be met in relation to such transfers).
There has been a lot of ICO enforcement action to catch up on. Most of this action has been under the previous Data Protection Act 1998 (as it relates to data processing activities prior to the application of the GDPR).
What happened in the legal world whilst I was on maternity leave? That’s what I’ve been catching up on. Whilst I was cuddling and playing over the past 10 months, some exciting legal stuff went on. In a series of 12 articles, I will discuss my top 10 things that happened, and my top two things that didn’t happen.
Up first: The GDPR had its first birthday.