March 21, 2019

March 20, 2019

Subscribe to Latest Legal News and Analysis

March 19, 2019

Subscribe to Latest Legal News and Analysis

March 18, 2019

Subscribe to Latest Legal News and Analysis

UK Starts 3-Week Consultation on GDPR Implementation

On Thursday, April 20th, the UK government launched a “Call for Views” regarding the UK’s options for the implementation of the new EU General Data Protection Regulation (GDPR) at national level.  The consultation deadline is May 10th, at mid-day UK time.

Although the GDPR was an effort to bring greater harmonization to data protection regimes throughout the EU, it nevertheless contains a number of areas in which national laws can deviate from its default position – for instance to permit researchers to store and use health data without having to repeatedly seek consents, or to ensure that freedom of expression is not unfairly curtailed by the “right to be forgotten.”

The UK consultation therefore asks for input about how those national “derogations” should be exercised (if at all), grouping them into the following 15 “Themes”:

  1. Supervisory authority powers and procedures

  2. Sanctions

  3. Demonstrating compliance (e.g. codes of conduct and record-keeping)

  4. Data protection officers

  5. Archiving and research

  6. Third country transfers (exports of personal data to non-EEA countries)

  7. Sensitive personal data and exceptions

  8. Criminal convictions

  9. Rights and remedies (e.g. protection against algorithm-driven decision-making, and the availability of collective redress mechanisms)

  10. Processing of children’s personal data by online services (e.g. age under which apps and website must obtain consent from a parent)

  11. Freedom of expression in the media (e.g. exceptions from the “right to be forgotten” by media organisations, and from the right to information about their sources)

  12. Processing of data (a broad “theme” everything from basic fairness and “further processing” conditions, through to HR data processing, via topics as broad as information security, data protection impact assessments, and use of third party “data processors”).

  13. Restrictions (the setting aside of GDPR rules that conflict with a public interest, for instance national security)

  14. Rules surrounding churches and religious associations

  15. Additional (overarching) question: “in the context of the derogations above, what steps should the Government take to minimise the cost or burden to business of the GDPR?”

© 2019 Covington & Burling LLP

TRENDING LEGAL ANALYSIS


About this Author

Philippe Bradley-Schmieg, Covington Burling, Data privacy and cybersecurity attorney
Associate

Philippe Bradley-Schmieg's practice covers a range of regulatory and commercial matters affecting the IT, internet media, e-health and telecoms sectors across the world.

Mr. Bradley-Schmieg advises on legislation, enforcement, advocacy and contracts relating to privacy, data protection, consumer protection, intermediary liability, copyright and databases, Big Data, medical confidentiality, cybersecurity, law enforcement data requests, and smart medical devices and apps.

44-20-7067-2282