As expected, Brexit is likely to continue to dominate in 2019, with a particular focus on international data transfers after exit day. However, there is also set to be publication of further guidance following the introduction of the General Data Protection Regulation (GDPR) last May (which will be retained in UK law under the EU (Withdrawal) Act 2018) and several interesting civil and criminal cases will be heard.
Data Protection Act 2018, Guidance publication
The Information Commissioner’s Office (ICO) plans to issue new, and expand on current, guidance in various areas, such as deletion of personal data, ‘public task’ as a lawful basis for processing, and exemptions from the rights of access, rectification, erasure, restriction, portability and objection under the Data Protection Act 2018 (DPA). The ICO also plans to issue new codes of practice as required by the DPA after ongoing consultations.
The results of a recently published consultation on the territorial scope of the GDPR are also expected this year, along with guidance on international transfers in general, and the use of codes and certifications as appropriate safeguards for international transfers.
The Data Protection Act 2018 will continue to affect technology in 2019
Data protection in technology continues to be a priority for the ICO and the draft E-Privacy Regulation (ePR) is likely to be adopted in 2019, which will renew the focus on cookies and other similar technology. Although it is unlikely that the ePR will be implemented before Brexit, the draft proposes that it should apply regardless of whether the processing of data takes place in the EU, or whether the processor is located in the EU. It is likely that it will therefore be introduced in any event.
The ICO will launch the regulatory sandbox with a consultation workshop scheduled for February and it has confirmed that Artificial Intelligence, big data and machine learning are priorities as part of its technology strategy.
Recent cases relating to the Data Protection Act 2018
A stark warning regarding the potential sanctions for data breaches has already been highlighted this year with SCL Elections Ltd (trading as Cambridge Analytica) pleading guilty on 9 January 2019 to failure to comply with an enforcement notice leading to a fine of £15,000 plus costs. It is likely that we will see further cases of this nature in the future.
In the civil sphere, the Irish Supreme Court has granted Facebook leave to appeal an European Court of Justice reference relating to the validity of the controller-to-processor standard contractual clauses and this is due to be heard in January. Morrisons is also expected to appeal a Court of Appeal decision on a case concerning vicarious liability over an employee's deliberate disclosure of data.
