The UK’s Supreme Court decision this week, whilst resolving a constitutional issue, has not assisted the uncertainty that Brexit brings for businesses in the UK or trading with the UK.
We identify three upcoming European laws that affect businesses and which, in our view, will not be affected by the UK leaving the European Union. Each of these laws will come into force in 2018 and each requires businesses in the UK and trading with the UK to start their preparations for compliance now.
The Supreme Court ruled this week (24 January 2017) that it is the British Parliament and not the British Government (or the devolved national administrations) that has the right to decide whether or not the UK leaves the European Union. Accordingly, it is not surprising that it will be Parliament’s passing of the “Brexit Act 2017” (or whatever it might be called) that will be making the headlines this year.
Whilst there can be no doubt about the significance of this, new laws emanating from Europe in 2017 will continue to affect businesses in the UK and, importantly, those businesses outside the UK that trade with the UK.
In our first email update of 2017, we summarise three separate forthcoming European laws that, in our view, will:
- not, for the greater part, be affected by the UK leaving the European Union;
- come into force in 2018;
- have a significant effect on businesses in the technology and data sectors or that utilise technology and data at an operational level; and
- require, to some extent, preparatory work for businesses in 2017.
1. The General Data Protection Regulation
The General Data Protection Regulation (“GDPR”) will come into force on 25 May 2018 replacing the EC Data Protection Directive (EC/98/46) which was implemented in the UK in the Data Protection Act 1998. As a EU Regulation, the GDPR will be directly applicable pre-Brexit and our view is that the UK Government is likely to implement the substantive provisions of the Regulation on Brexit.
The GDPR sets a new, and in most cases, higher standard of privacy protection for individual’s personal data. All businesses that process EU citizen’s personal data will be affected including those that are established outside of the EU.
Businesses will have to carry out privacy impact assessments prior to processing personal data. As before, consent of the individual is key to lawful processing of their personal data. However, the rules on what constitutes a legitimate “opt-in” consent are stricter. Further stricter rules apply to special categories of sensitive personal data such a biometric data.
Individuals whose data is processed are granted new and enhanced rights. The “right to be forgotten” requiring deletion of personal data has been well publicised. A new right to data portability is provided. Rights to receive a copy of personal data and to object to processing have been enhanced.
The concepts of “privacy by design” and “privacy by default” are central to the new Regulation. Businesses will have to demonstrate that they have systems and procedures in place to ensure compliance. Larger businesses are obliged to appoint a Data Protection Officer to monitor and verify compliance.
Businesses will no longer need to notify the regulator that they intend to process personal data. However, the rules in relation to notifying regulators when a breach of personal data has occurred are now stricter. For businesses operating in multiple European countries, the principle of a “one stop shop” or “passport” is a welcome new addition. This means businesses can focus on complying with the GDPR in the European country where they are primarily established. It remains to be seen how this principle will be affected by Brexit.
A new regime of fines for failure to comply is established. The maximum fine for the most serious breaches is capped at 4% of annual global turnover or 20,000,000 euros.
We are currently carrying out a number of privacy impact assessments for UK, US and other clients based around the world that sell goods and services to EU citizens. Our advice is that you should not delay preparation for the GDPR. This does not necessarily mean a significant amount of work for organisations that have worked hard to ensure that they comply with the existing legislation. For those others, Elizabeth Denham, the UK Information Commissioner, has indicated that she believes that organisations should regard the new Regulation as an opportunity to “put their house in order”. She has signalled that she intends to get tough with those who do not.
2. A New Eprivacy Regulation
Earlier this month (January 2017), the European Commission presented a proposal for a Regulation to replace the current rules on electronic communications, known as the ePrivacy Directive. The current Directive came into force in the UK by a 2003 Regulation. It was amended and extended by a 2009 Directive, known as the Cookie Directive, that was implemented in the UK in a 2011 Regulation. The new Regulation, when it is finalised, will be directly applicable. Like the GDPR, we expect the UK Government to pass legislation preserving the new ePrivacy Regulation on Brexit.
The new ePrivacy Regulation is a bundle of rules relating to the use of “Electronic Communications Services”. The rules establish the principles of security and confidentiality of all forms of electronic communication. Consistent with the GDPR, they establish “opt in consent” rules about the retention and use of traffic data in electronic communications.
The new Regulation now applies to all forms of “Over the Top” electronic communications, not just emails and web sites. This includes Voice over IP (Skype, Facetime, Webex etc.), instant messaging (WhatsApp, SnapChat, iMessage etc.) and web based email services (GoogleMail, Outlook365 etc.).
Also included are machine to machine communications (Internet of Things, Beacons etc) and publicly accessible local area networks and “hotspots” (via wi-fi and bluetooth). Principles in respect of the retention and use of traffic data under the old ePrivacy Directive are now extended to all metadata generated during the use of such services.
There are stricter and more prescriptive rules and controls on the collection and use of data from all “terminal equipment” which now includes smart phones, tablets, IoT devices as well as desktop computers. The key principle is still “opt in” consent. There are new requirements to ensure that users are notified about the collection of technical data from devices (IMEI, MAC addresses, IMSI data), for so called “device fingerprinting”.
Electronic Communications software (whether it be a web browser or an instant messaging App on a smartphone) now needs to notify users of its privacy settings on installation and require users to consent to those settings before proceeding with the installation.
The new ePrivacy regulations apply to all providers of electronic communications directory services. Opt in consent is required and rights to verify, correct and delete data in directories are provided.
Clear rules on direct marketing and unsolicited communication by email and by telephone are established. As with the GDPR, there are stricter rules on notifications of breaches of the new regulations and the level of fines that can be levied has been increased to a maximum of 4% of total worldwide annual revenues.
The effect on most businesses (who perhaps only utilise a website as a marketing and sales channel and use email to market to their customers) will be minimal. They should review their privacy policies and marketing strategies and procedures. This could form part of an existing compliance plan for the new General Data Protection Regulations that also comes into force in 2018.
However, businesses in the digital advertising industry or those who operate an electronic communications service or ‘big data’ or “analytics” App are more significantly affected. In 2017 they will need to undertake a careful analysis of how their technology operates, how they collect and use data and how they communicate to their marketing and user base in order to ensure that they comply with the new Regulation.
Our further, more detailed, assessment of the new ePrivacy Regulation can be found here.
3. The Trade Secrets Directive
The Trade Secrets Directive was adopted on the 8 June 2016. It requires the UK (and other European member states) to implement the Directive into local laws by 9 June 2018.
The purpose of the Trade Secret Directive is to set a minimum standard for the protection of “secret” business information that has a commercial value. The Directive sets out a number of primary unlawful practices in respect of trade secrets (chiefly misappropriating a trade secret) and also a number of secondary practices (such as dealing with a trade secret). There are statutory exceptions and these include protection for “whistleblowers”.
UK law has traditionally protected trade secrets and other confidential information through the common law equitable doctrine of confidentiality and through contractual means such as confidentiality and non-disclosure agreements. The relationship between the two has not always been clear especially in relation to the exceptions to duties of confidentiality (where contract law and common law has varied significantly). Remedies for a common law and contractual breach of confidentiality and the assessment of damages also differ significantly.
Whether or not the UK has left the European Union by 9 June 2018, our view is that the UK Government will take the opportunity to codify existing common law and contractual doctrines of confidentiality. The Trade Secrets Directive adopts some, but not all (primarily the concept of a proprietary right in a Trade Secret) of the US Uniform Trade Secrets Act 1979 (amended in 1985). A degree of alignment with US principles is also beneficial in encouraging information sharing and commerce between US and UK technology businesses.
Draft legislation implementing the Directive has not yet been published by the UK Government. Accordingly, it is not clear to us how the existing contractual and common law rights will be affected by codification. Some we believe will survive, others are likely to be swept away. Once the draft implementing legislation is published (and we expect it this year), we would expect prudent businesses in the UK (or other businesses that enter into English law agreements) to review their practices (and accompanying legal documentation) relating to the protection of their valuable business secrets and information.