EU Regulation On Data Protection Unlikely To Become UK Law Before 2019
Nearly four years into the process, the Council of the European Union has now decided on its negotiating position for the trilogue with the European Parliament and the European Commission. There is now a timetable running to December 2015, during which representatives from the Council, the Parliament and the Commission will come together to decide on the final wording of the new EU-wide data protection regulation. This means that if they stick to this timetable, which on past form is by no means certain, by the end of 2015 we should know how the new regulations will affect direct marketers in the UK.
Among the controversial questions still to be thrashed out are:
What is the precise definition of ‘personal data’?
How will the ‘right to be forgotten’ work in practice?
What exactly is meant by the ‘legitimate interest’ of data controllers? Does this include marketing? And if it does, does it include any or all of consumer marketing, B2B marketing, online marketing and offline marketing?
Must consent be ‘explicit’ or not?
Will compulsory data breach notification apply to minor breaches or just high risk breaches?
Will all businesses be required to have a data protection officer?
What happens if EU data protection rules conflict with a non-EU country’s data protection rules?
While we might know what the new regulations will be by the end of 2015, they are unlikely to be adopted into EU law before mid-2016. In fact the Information Commissioner’s Office now estimates that the two year run-in period before the regulations become compulsory can realistically be expected to start at the end of 2016, meaning that they will not be enforced in the UK before the beginning of 2019.