GDPR implementation: minor changes and big questions

With the GDPR taking effect later this month, the Council of the EU has done its last round of proof-reading and made some changes to the final GDPR text. Most of those will be inconsequential for the majority of controllers and processors. Meanwhile, on this side of the Channel, a much bigger question remains unanswered: when exactly will we get our Data Protection Act 2018?

GDPR: minor corrections

The EU Council’s corrections document, published today tidies up some clerical errors and suchlike. The English language changes are at pages 90-99. Most of them are unimportant to almost all of us: they are largely concerned with the provisions about codes of conduct, accreditation and certification, and aspects of the co-operation procedures for supervisory authorities.

The only clarification that might affect the plans of data controllers and processors is the clarification to Article 37(1), which tells us where it is mandatory to have a data protection officer (DPO). There are three mandatory cases. You must have a DPO if you are a public authority. You must have one if your ‘core activities… consist of processing operations which, by virtue of their nature, their scope and/or their purposes, require regular and systematic monitoring of data subjects on a large scale’. You must also have one if your ‘core activities… consist of processing on a large scale of special categories of data pursuant to Article 9 and personal data relating to criminal convictions and offences referred to in Article 10’.

Today’s published correction replaces the underlined ‘and’ with ‘or’. So, if you were thinking that you need not have a DPO because you only process one (but not both) of the sensitive categories (special category data; criminal convictions data), think again. If your core activities concern large-scale processing of either of those, you must have a DPO.

Excuse me, I hear you say, but can you remind me what is meant by ‘core activities’ and ‘large scale’ here? Yes, certainly: there is very helpful guidance on these issues in this document from the Article 29 Working Party.

Domestic legislation: tick, tick

So much for minor points of clarification. The above has something of a ‘deckchairs on Titanic’ feel to it, in comparison to the much bigger question for data protection in the UK, namely: when are we getting our new Data Protection Act 2018? We are all familiar by now with the DP Bill (see its most recent iteration here), and there is a very useful summary of what happened at the Committee stage here, by John Woodhouse of the House of Commons Library.

But when is that Bill due to gets its final going-over before Royal Assent? Good question. There needs to be a report stage and a third reading, consideration of amendments and then Royal Assent. The Parliamentary business timetable for next week) makes no mention of the DP Bill, as far as I can see. That does not leave much time for getting the DPA 2018 on the statute books before GDPR day (25 May).

Time pressures also mean that the deadline for implementing the Law Enforcement Directive (6 May) will almost certainly not be met, as that is bundled up in the DP Bill.

International transfers

Oh, and on the subject of the uncertain future of big pieces of our data protection furniture, note also that one of the primary mechanisms for transferring data outside of the EU – model contract clauses – are in a state of uncertainty. The current ones need revision to get them into GDPR-compliant shape. But the current clauses are facing a root-and-branch assault before the CJEU in the ‘Schrems II’ litigation, on the grounds that they give the green light to transfers that imperil data privacy, contrary to individuals’ rights under the EU Charter. For a very good summary of the issues in that litigation, see this post on Out-Law by Andreas Carney.

There. I’m glad we’re all crystal clear on every detail of the imminent future of data protection. No uncertainty at all. You’re welcome.

Robin Hopkins @hopkinsrobin