What to expect in Data Protection Law in 2019

Our data protection team give an update on what we can expect to see this year relating to the Data Protection Act 2018 and recent cases businesses can learn from.

As expected, Brexit is likely to continue to dominate in 2019, with a particular focus on international data transfers after exit day. However, there is also set to be publication of further guidance following the introduction of the General Data Protection Regulation (GDPR) last May (which will be retained in UK law under the EU (Withdrawal) Act 2018) and several interesting civil and criminal cases will be heard.

Data Protection Act 2018, Guidance publication

The Information Commissioner’s Office (ICO) plans to issue new, and expand on current, guidance in various areas, such as deletion of personal data, ‘public task’ as a lawful basis for processing, and exemptions from the rights of access, rectification, erasure, restriction, portability and objection under the Data Protection Act 2018 (DPA). The ICO also plans to issue new codes of practice as required by the DPA after ongoing consultations.

The results of a recently published consultation on the territorial scope of the GDPR are also expected this year, along with guidance on international transfers in general, and the use of codes and certifications as appropriate safeguards for international transfers.

The Data Protection Act 2018 will continue to affect technology in 2019

Data protection in technology continues to be a priority for the ICO and the draft E-Privacy Regulation (ePR) is likely to be adopted in 2019, which will renew the focus on cookies and other similar technology. Although it is unlikely that the ePR will be implemented before Brexit, the draft proposes that it should apply regardless of whether the processing of data takes place in the EU, or whether the processor is located in the EU. It is likely that it will therefore be introduced in any event.

The ICO will launch the regulatory sandbox with a consultation workshop scheduled for February and it has confirmed that Artificial Intelligence, big data and machine learning are priorities as part of its technology strategy.

Recent cases relating to the Data Protection Act 2018

A stark warning regarding the potential sanctions for data breaches has already been highlighted this year with SCL Elections Ltd (trading as Cambridge Analytica) pleading guilty on 9 January 2019 to failure to comply with an enforcement notice leading to a fine of £15,000 plus costs. It is likely that we will see further cases of this nature in the future.

In the civil sphere, the Irish Supreme Court has granted Facebook leave to appeal an European Court of Justice reference relating to the validity of the controller-to-processor standard contractual clauses and this is due to be heard in January. Morrisons is also expected to appeal a Court of Appeal decision on a case concerning vicarious liability over an employee's deliberate disclosure of data.

CONTACT CHRIS

If you would like more information or advice relating to this article or an Employment law matter, please do not hesitate to contact Chris Cook on 01727 798089.

Read our latest views & insight about the GDPR
GDPR Numbers Image SA Law
Views & Insights
GDPR one year on

Subject access requests and complaints have been commonplace since the GDPR came into effect. Find out more about the trends and traps.

Read More
SA Law Red arrow neon light image
Views & Insights
Google issued with £44m fine over GDPR breach

Head of Employment and Data Protection, Chris Cook, explains Google's GDPR breach that led to landmark £44 million fine.

Read More
SA Law Red arrow neon light image
Views & Insights
What is the difference between a controller and processor under the Data Protection Act 2018?

Partner and Head of Employment & Data Protection, Chris Cook describes how to distinguish between a processor and controller under GDPR.

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR - 6 Months On

Partner and Head of Employment & Data Protection Chris Cook comments on the impacts of GDPR over the past 6 months.

Read More
SA Law Red arrow neon light image
Views & Insights
ICO publishes passwords and encryption guidance

Partner, Chris Cook, identifies the new ICO guidance on passwords in online services and encryption under GDPR.

Read More
Stained glass window Employment SA Law
Views & Insights
GDPR and SARs; staying compliant and protected

Partner and Head of Employment & Data Protection, Chris Cook writes in Education Executive about the GDPR and SARs.

Read More
Red arrow light
Views & Insights
Divorce and the GDPR

In the Financial Times Adviser, Marilyn and Chris discuss the implications of being jointly instructed by one party in the proceedings.

Read More
SA Law Red arrow neon light image
Views & Insights
GDPR: A five step guide to dealing with a data breach

Chris Cook shares a five step guide to dealing with a data breach including assessing risk & reporting.

Read More

© SA LAW 2019

Every care is taken in the preparation of our articles. However, no responsibility can be accepted to any person who acts on the basis of information contained in them alone. You are recommended to obtain specific advice in respect of individual cases.