The UK, the EU and Brexit – once again

With the general election hopefully producing an end to the Brexit deadlock one way or another, several questions remain open for the future of the UK data protection framework. As the Court of Justice of the European Union (CJEU) keeps issuing data protection decisions that are affecting practitioners’ life on a daily basis, what about the future? If the UK actually leaves the EU, and is therefore no longer subject to these rulings, what will be the status of the previous rulings of the CJEU in the UK courts after exit?

If the UK leaves the EU without a Withdrawal Agreement, i.e. it has not been ratified by January 2020 and the UK has not asked/been given an extension, a no-deal Brexit would mean that organisations would need to revert to alternative arrangements for international data transfers. The DCMS is starting to prepare its own adequacy assessments – perhaps in vain in the middle of all the uncertainty.

Facial recognition has caused a stir not just in the UK but around the world. Whilst the ICO has alerted organisations to rules of fair play, France’s regulator has ordered two high schools to end their facial recognition programs, and in Sweden, the DPA has imposed a fine of 200,000 Swedish Krona (£16,000) on a municipality that used facial recognition in a school.

The international conference of data protection authorities tackles these types of questions together. We were pleased to attend the conference in October in Albania, where the ICO was at centre stage as the conference Chair. We made many new contacts, as the international privacy scene is expanding rapidly with new delegates from Africa and Asia.

The decision to allow Lloyd v Google to proceed as a class action will have important consequences for group litigation in the UK. On 4 October, the High Court granted permission for British Airways customers to bring a group litigation order. The 2018 British Airways data breach occurred under the GDPR so we await to see whether the ICO’s intention to fine the company £183,390 million will stick.

In the meantime, the ICO is consulting both on data sharing and its aim to seize assets under the Proceeds of Crime Act 2002.

Laura Linkomies
Editor, Privacy Laws & Business

November 2019