When will the EU Data Protection Regulation enter into force in the UK?

I am making an assumption that regardless of whether the UK votes in the referendum on 23 June to stay in or leave the European Union, the EU Data Protection Regulation will still apply in the UK on 25th May 2018.

My reason is that companies want one set of rules across the European Economic Area and consumers will want to embrace the stronger rights which the Regulation gives them, helped by representative consumer organisations and competition authorities where necessary. If the UK leaves the European Union, the government would presumably apply for an EU “adequacy” declaration. But does the UK want to join the queue behind South Korea and probably Japan?

What about organisations operating wholly within the UK? Would the EU DP Regulation be such a burden? Christopher Graham, the Information Commissioner has used his discretion to make the law operate in the UK in a less bureaucratic manner than in some other countries. We will wait and see how this discretion extends into the future when Elizabeth Denham takes over from Christopher Graham after 28 June. Both Laura Linkomies, Editor, and I attended the Department of Culture, Media and Sport House of Commons Select Committee hearing in Westminster on 28 April when Ms. Denham was subjected to intensive questioning by the MPs. That is how PL&B was the first with the news of her appointment early the following morning which we sent out as an e-news.

The UK’s room for manoeuvre

Iain Bourne, Data Protection Policy Delivery Group Manager at the Information Commissioner’s Office will shine light on the derogations, this room for manoeuvre for interpreting the EU Data Protection Regulation in the UK, when he addresses this issue on 4th July at Great Expectations, PL&B’s 29th Annual International Conference in Cambridge. On the same day, the UK’s Data Protection Minister, Baroness Neville-Rolfe, will give the conference the government’s perspective on the EU Data Protection Regulation package. There are many sessions specifically covering UK issues in addition to the international ones.

The difference between the Regulation’s “in force” and “apply” dates

When the EU Data Protection Regulation’s timetable was announced on the European Commission’s website the wording raised more questions than it answered. It states:

“On 4 May 2016, the official texts of the Regulation and the Directive have been published in the EU Official Journal in all the official languages. While the Regulation will enter into force on 24 May 2016, it shall apply from 25 May 2018.”

After constantly being informed that we all had two years to adjust, it seemed rather scary to learn that the Regulation would enter into force within a few days. Therefore, in order to understand the difference between “in force” and “apply” I went to the top and asked Bruno Gencarelli, Head of the Data Protection Unit, Justice, the European Commission, for an explanation.

PL&B’s Question: What do the terms “in force” and “apply” mean? Usually, the term “in force” means when the law applies to the people subject to the law. But as the companies’ duties and the individuals’ rights begin on 25 May 2018, these words do not seems to match their plain meaning.

Does “in force” mean in this context that the two year timetable begins on 24 May 2016 so that everyone involved must start preparing? If not, what does “in force” mean in this context?

The European Commission’s answer in less than an hour! This is not unusual in EU law. The texts will be fully applicable to companies, and individuals will be able to invoke their rights in two years time. In the meantime, “in force” means that EU Member States cannot take any measure compromising or prejudicing the goals and content of the Regulation or the Directive and, for example, have to abrogate any rule that is contrary to the Regulation/Directive.

It was decided to provide for a two-year transition to allow all interested parties (Member States, Data Protection Authorities, companies etc.) to prepare themselves for the full application of the new rules. This was already part of our original proposal.

PL&B enables you to engage directly with the decision-makers

One of the benefits of subscribing to PL&B Reports and attending PL&B events is that you have an unrivalled opportunity to engage directly with policymakers and regulators both in sessions and informally on:

• 25 May in London and 28 September in Birmingham on the impact of the EU DP Regulation in the UK and

• 4-6 July at PL&B’s conference in Cambridge with 40+ speakers from 16 countries. You will meet Bruno Gencarelli on the 2nd day of the conference and Giovanni Buttarelli, the European Data Protection Supervisor, on the 3rd day.

By the time of the July edition of the PL&B UK Report, we will know the outcome of the referendum, Christopher Graham will have given his final Annual Press Conference, and Elizabeth Denham will have started work as the UK’s Information Commissioner. This is the first time we are aware that any Data Protection or Freedom of Information Commissioner anywhere has been appointed from a different country, which is sure to give her a fresh perspective.

If you would like us to interview you about the way you are tackling data protection or freedom of information issues, please e-mail Laura Linkomies so we can arrange to interview you. We check our drafts that are accurate by giving you an opportunity to comment before publication.


Stewart Dresner, Publisher


UK Report 85

Lead story:

‘Battle tested’ Denham ready to take reins at the ICO

Laura Linkomies reports from Parliament in Westminster on the appointment that now awaits the signature of the Queen.

Contents also include:

  • Comment: Next steps for data protection
  • Royal Mail becomes certified online identity provider
  • Legitimate interest ground under the GDPR: Change ahead
  • Member States’ derogations undermine the GDPR
  • Data Protection in the new world of Artificial Intelligence
  • Do employers have the right to read employees’ private emails?
  • How Transport for London protects customer privacy
  • It is time to get GDPR compliant
  • Book Review: Protecting yourself in a world full of scammers
  • UK sessions at Great Expectations PL&B’s 29th Annual Conference
  • Latest FOI disclosure logs
  • Government fights cyber crime
  • Blacklisted construction workers win compensation
  • Privacy and consumer advocacy
  • High Court decides on ‘abuse’ of SAR process
  • Degradation of privacy standards ‘abuse’ under competition law?
  • EU DP Regulation will apply 25 May 2018
  • ICO issues Undertaking on HSCIC
  • Around 1 in 45 patients opt-out