The glorious Brexit uncertainty: The only dead cert on data rules for tech biz in 2019

UK's exit from the EU and ePrivacy regs: contingency planning and confusion

At the dawn of 2018, GDPR was a dead cert. The four letters were on everyone's lips and, with a helpful nudge from Facebook and Cambridge Analytica, set the privacy world aflame.

This year, data protection minds will re-focus on more uncertain matters: the ePrivacy Regulation, once intended as the EU's General Data Protection Regulation's intended legislative sibling, and – of course – Brexit.

The European Union had planned to implement the ePrivacy Regulation – which sets out privacy rules for electronic communications – at the same time as the General Data Protection Regulation, which covers protection of personal data.

But as May 2018 approached, and then came and went, it was clear there wasn't a hope of that happening. Instead, the past year has been spent in a deadlock between member states, as disagreement and intense lobbying threatens to scupper the legislation's chances.

Even the idea that member states would reach a group position in 2018 has proven to be a pipe dream. And a group position is needed before trilogue negotiations between the three EU institutions (Commission, Parliament and Council) can begin.

Now observers are managing their expectations; the hopes have shifted to the idea of reaching an agreement before the European elections in May.

If the regulation hasn't entered trilogues by then, the concern is that the disruption will mean it slips off the agenda altogether; if it does, it will be a good signal a compromise can be reached – but it's still unlikely to come into effect until 2020.

The regulation will replace the ePrivacy Directive, and aims to ensure consistency across the European bloc – at the moment, the Directive is implemented in very different ways in each member state. It will set the rules on communications data not classed as personal, like metadata related to the locations, timing, duration and type of communication.

Who is pushing back?

But it has faced a tough fight against the advertising lobby, in part because the rules would give users the right to object to being tracked when they use a website, and require that they are allowed to access a site even if they reject cookies.

The initial proposal was published in January 2017, it scraped through the European Parliament in October 2017 and has since then been going through a series of rewrites by the Council. A revised draft was published in July this year, and another set of amendments were published in October.

Some of the rules in the initial proposal have been watered down by the revisions made by the Austrian presidency – the nation held the position for the six months from July 2018.

The presidency has also warned that original proposals – which would have seen users asked to review their privacy settings whenever changes to policies were made – could lead to "consent fatigue".

However, some have warned that the changes – which include deleting Article 10, detailing how privacy settings on browsers should be configured – have muddied the water, for instance by leaving issues on cookies unclear.

Debbie Heywood of law firm Taylor Wessing said that uncertainty was the most difficult issue for businesses to deal with.

"The most pressing issues which the final version of the Regulation needs to clarify are the approach to B2B electronic unsolicited and direct marketing communications, and the extent to which browsers are really able to satisfy cookie consent requirements," she said in a blogpost.

Brexit means... maybe Brexit?

Michel Barnier, chief EU Brexit negotiator

UK.gov tells companies to draft contracts for data flows just in case they screw up Brexit

READ MORE

The other major uncertainty facing businesses as they head into 2019 is Brexit, and what that means for data flows between the UK and Europe – something that will affect companies on both sides of The Channel.

In the UK, the government and the Information Commissioner's Office published guidance for organisations to prepare just 100 days before the scheduled departure date, at long last offering more detail than the technical notices technical notice issued in September.

The guidance warned that businesses need to prepare contingencies for data governance if the UK leaves without a deal – as there will be no interim protections for data flows in this case – and review their European operations.

The UK is seeking an adequacy decision from the EU – a rubber stamp saying the UK's standards of protection are up to scratch – but companies can't rely on this happening quickly.

One possible alternative route is standard contractural clauses (SCCs), which are standard terms and conditions that the organisation in the European Economic Area must comply with. The government confirmed that existing SCCs would be an effective basis for international transfers in the event of no-deal and that the ICO would be able to issue SCCs post-Brexit.

Neil Brown, tech lawyer at decoded: Legal, said that there would be some additional work for firms that didn't need to clauses, "but this should be little more than a straightforward contract variation to add them into their contract".

Advising companies to use SCCs has been somewhat controversial because they are currently being challenged in the European courts by activist and lawyer Max Schrems.

"There is a bigger question as to whether the standard contract clauses are, in fact, 'adequate' from a data protection point of view," Brown said. "But the ICO's guidance for now is to make use of them while they remain in effect."

However, in complex or unusual cases, SCCs probably won't be suitable, so firms should use a different role, such as Binding Corporate Rules, which are designed to allow multinational companies to transfer personal data out of the EEA. When the Withdrawal Agreement was published last month, questions were raised about whether BCRs granted by the ICO would still function after Brexit.

The latest ICO guidance said that existing BCRs "are likely to permit the transfer from the EEA to the UK", as long as firms make appropriate changes to show the UK is a third country. This is subject to confirmation from the European Data Protection Board, it said in the six-point plan, and again, the ICO would "continue to be able to authorise new BCRs under domestic law" after exit.

Beyond this, the ICO stressed data controllers' responsibilities won't change, as the provisions of GDPR will be written into UK laws with technical amendments so they work in a UK-only context.

But companies that work in both the UK and EEA countries may need to make other changes, for instance if the UK is currently a company’s lead supervisory authority, it might want to switch it to another member state.

This is because of the "one-stop-shop" principle, which allows companies to name a single, lead authority rather than dealing with regulatory and enforcement action from every DPA in the affected member states.

"After the UK exits from the EU, if you no longer have a lead authority and cannot benefit from One-Stop-Shop, this could significantly affect your business and the resources you need to deal with enquiries from various European data protection authorities," the ICO warned.

Meanwhile, companies that sell goods or services to people in the EEA and are based only in the UK, and no other member state, will have to comply with the EU regime and appoint a representative in the EEA.

Max Schrems

Schrems' Facebook case edges closer to ruling over EU-US data flows

READ MORE

This person can't be the firm's data protection officer or one of its processors, and there are exemptions for public authorities or organisations that process low risk data or only do it occasionally.

Another basic step all companies will need to take is making sure privacy policies and other documentation are up to date, especially if they refer to EU law, and reflect that the UK is a third country in relation to the EU.

Brown said the guidance, which includes a six-point plan (PDF) and a set of FAQs, was "pragmatic and no-nonsense".

But Heather Burns, a technologist and internet regulation expert, said it addresses "the noise but not the signal".

For her, the guidance fails to answer the major question of "where SMEs and microbusinesses will find the time, labour, and in the case of contractual clauses, legal fees to do the work required to keep their businesses running exactly as they were before".

Indeed, businesses issued a stark warning just before Christmas that the contingency plans firms are being forced to put in place "are a significant drain of time and money".

It's also worth noting that data flows may not be at the forefront of business leaders' minds as they grapple with staffing or immigration issues and consider stockpiling products in case of supply chain problems.

At the moment, the one thing that can be said about 2019 with certainty is that it is coming with a lot of uncertainty for tech business. ®

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019