August 20, 2017

August 18, 2017

Subscribe to Latest Legal News and Analysis

August 17, 2017

Subscribe to Latest Legal News and Analysis

UK Starts 3-Week Consultation on GDPR Implementation

On Thursday, April 20th, the UK government launched a “Call for Views” regarding the UK’s options for the implementation of the new EU General Data Protection Regulation (GDPR) at national level.  The consultation deadline is May 10th, at mid-day UK time.

Although the GDPR was an effort to bring greater harmonization to data protection regimes throughout the EU, it nevertheless contains a number of areas in which national laws can deviate from its default position – for instance to permit researchers to store and use health data without having to repeatedly seek consents, or to ensure that freedom of expression is not unfairly curtailed by the “right to be forgotten.”

The UK consultation therefore asks for input about how those national “derogations” should be exercised (if at all), grouping them into the following 15 “Themes”:

  1. Supervisory authority powers and procedures

  2. Sanctions

  3. Demonstrating compliance (e.g. codes of conduct and record-keeping)

  4. Data protection officers

  5. Archiving and research

  6. Third country transfers (exports of personal data to non-EEA countries)

  7. Sensitive personal data and exceptions

  8. Criminal convictions

  9. Rights and remedies (e.g. protection against algorithm-driven decision-making, and the availability of collective redress mechanisms)

  10. Processing of children’s personal data by online services (e.g. age under which apps and website must obtain consent from a parent)

  11. Freedom of expression in the media (e.g. exceptions from the “right to be forgotten” by media organisations, and from the right to information about their sources)

  12. Processing of data (a broad “theme” everything from basic fairness and “further processing” conditions, through to HR data processing, via topics as broad as information security, data protection impact assessments, and use of third party “data processors”).

  13. Restrictions (the setting aside of GDPR rules that conflict with a public interest, for instance national security)

  14. Rules surrounding churches and religious associations

  15. Additional (overarching) question: “in the context of the derogations above, what steps should the Government take to minimise the cost or burden to business of the GDPR?”

© 2017 Covington & Burling LLP


About this Author

Philippe Bradley-Schmieg, Privacy and Technology Attorney, Covington Law Firm

Philippe Bradley-Schmieg is an associate in the privacy, technology and media and life sciences regulatory practice groups, having joined the firm as a trainee solicitor in 2012.

Mr. Bradley-Schmieg's practice covers a range of commercial, regulatory and intellectual property matters affecting the IT, e-health, internet media and telecoms sectors, often with a multi-jurisdictional scope.

Mr. Bradley-Schmieg advises on intellectual property, compliance and policy matters such as online consumer rights, liability for...