Académique Documents
Professionnel Documents
Culture Documents
Patsy Ciardullo
The American University
International Law Review
First Draft Spring 2017-Option IV
Senior Note and Comment Editor: Valli Sanmugalingam & Janet Lee
Note and Comment Editor: Powell Wright & Gabriela Chambi
Abstract
the United Kingdom was a Member State when the Regulation passed
into law in 2016, and will not exit the E.U. by 2018 when the
Act (IPA), which conflicts with the purpose of the GDPR, and (2)
when the UK exits the E.U., UK businesses still must meet the
The UK could still adopt the GDPR to benefit from the data
i
I. Introduction
to respect for his private and family life, his home and his
Union citizens.3
https://www.civilsociety.co.uk/voices/gerald-oppenheim-why-we-
are-launching-guidelines-on-data.
1
The 1995 E.U. Data Protection Directive will be replaced by
States.5
E.C.R. 572 para. 128 (arguing that the right to privacy has been
5 Id.
2
The GDPR outlines the requirements governments must meet to
3
however, also falls within a broader scope of what data privacy
the General Data Protection Regulation and why should you care?,
article/3140459/compliance/what-is-the-general-data-protection-
should care about the General Data Protection Regulation and the
impact that the new legal framework will have around the world).
810750/brexit-to-further-splinter-global-data-protection-rules.
4
Act, passed into law in 2016 because the UKs law violates GDPR
rights with respect to their own data. As the E.U.s new law, it
which the GDPR replaces, and the reasons that the old data
11 Id.
5
II. Background
Directive 1995/46].
2016) [hereinafter Kritzer & Mazzotta, The New E.U. General Data
Protection Regulation].
14 Id.
15 Directive 1995/46, supra note Error! Bookmark not defined., at
6
drafted and implemented, the Directive was applicable to all
Directive.18
2008), http://whatis.techtarget.
com/definition/EU-Data-Protection-Directive-Directive-95-46-EC.
16 Directive 1995/46, supra note Error! Bookmark not defined., at
38.
18 Id.
7
requirements for data transfers to countries outside of the
E.U.19 Here, the E.U. stated that personal data transfers could
19 Id.
20 Id.
general-data/9781849288378/xhtml/chapter_13.html# [hereinafter
Internationally].
22 Id.
23 Directive 1995/46 supra note Error! Bookmark not defined., at
40.
8
processed fairly and lawfully, collected for specified,
further processed.25
24 Id.
25 Id.
9
their personal data to track terrorists in countries within the
his case to the ECJ and prevailed, effectively striking down the
scheme).
https://www.theregister.co.uk/2015/10/23/ftc_eu_safe_harbor/.
certified under the Safe Harbor Agreement who then also granted
10
In 2014 England enacted the Data Retention and
Schrems case ignores the fact that data found in the E.U. is
(Eng.).
theguardian.com/world/2015/nov/04/theresa-may-surveillance-
measures-edward-snowden.
32 Id.
11
B. The Harmonization of Data Protection in the E.U.
33 A Primer on the GDPR: What You Need to Know, Proskauer (Dec. 25,
2015), http://privacylaw.proskauer.com/2015/12/articles/european-
union/a-primer-on-the-gdpr-what-you-need-to-know/.
protection law).
35 Id.
https://www.safaribooksonline.com/library/view/eu-general-
12
commonly referred to as such37. The principles emanate from
Article 538 and guide compliance with the Regulation.39 The six
data/9781849288378/xhtml/chapter_04.html# [hereinafter IT
37 Id.
2016), https://www.whitecase.com/publications/article/chapter-6-
data-protection-principles-unlocking-eu-general-data-protection.
13
limitation41; data minimization42; accuracy43; storage
principle means that the data subject must be told what the
data will be used for and limit the processing to only what is
incorrect information).
work).
14
The GDPR redefines what information constitutes personal
data46 and what consent47 means under the new regime. It further
https://www.whitecase.com/publications/article/chapter-5-key-
definitions-unlocking-eu-general-data-protection-regulation#.
47 IT Governance Privacy Team, Chapter 10: Consent, in E.U.
sonline.com/library/view/eu-general-data/9781849288378/
xhtml/chapter_10.html.
36.
15
intelligible form.50 For example, the right to information
processor.52 The GDPR does not allow the controller to deny the
50 Id.
48.
16
The GDPR will utilize the One-Stop-Shop theory to
State will still have national SAs,57 whose job function will be
54 Id.
57 See id. (operating under the One Stop Shop Procedure of the
17
to investigate and enforce the GDPR whenever a complaint is
overlap with the role of the Lead SA, it must inform the Lead
measures.).
58 Id.
59 Richard Craig, The One-Stop Shop, Taylor Wessing (Apr. 2016),
https://www.taylorwessing.com/globaldatahub/article-the-one-
substantially").
18
to have all Lead SA collaborate with Concerned Supervisory
which drafted the GDPR also created the Biding Corporate Rules
law/article_Greenberg-Traurig-LLP_2228098.htm.
63 Id.
64 Id.
19
Unlike the Directive, which only some Member States
system more efficient and less onerous than the current one.66
outside the E.U. must use the same standard of protection for
States recognized BCRs under the Directive and that the process
66 Id.
operational-impacts-of-the-gdpr-part-3-consent/.
20
unambiguous, can be revocable, and can only be obtained through
69 Id.
70 Id.
71 Top 10 Operational Impacts of the GDPR: Part 3 Consent, The
48.
73 Id.
21
is passed to a processor, whether that processor is inside or
or call made, with the date, time and duration of these actions
74 Id.
note 11.
9445cac8966f.
/world/2016/nov/19/extreme-surveillance-becomes-uk-law-with-
barely-a-whimper.
22
included.78 The UK Information Commissioner Elizabeth Denham is
charged with dealing with the implementation of the GDPR and the
IPA, and to date has claimed the UK will follow the GDPR.79
events/insight/new-uk-information-commissioner/.
note 11.
com/2016/11/23/13718768/uk-surveillance-laws-explained-
investigatory-powers-bill.
23
force technology companies and others to hand over the data that
Under Intense New Spying Regime, The Indep. (Dec. 27, 2016),
http://www.independent.co.uk/life-style/gadgets-and-
tech/news/investigatory-powers-act-bill-snoopers-charter-spying-
note 81.
2016), https://www.liberty-human-rights.org.uk/news/press-
releases-and-statements/government-breaking-law-collecting-
everyones-internet-and-call.
24
personal information for their clients which may be accessed in
https://philmuncaster.com/2017/02/24/ gdpr-and-snoopers-charter-
misunderstand what they are asking for [they] really just want
back end access so that they can access the cloud, and they
NHS, the Department of Health, the Food Standards Agency and the
Gambling Commission).
25
is by obtaining an adequacy jurisdiction ruling or having the UK
(Case C-362/14) the CJEU struck down the E.U.-US Safe Harbor
Brexit and the U.K. Data Protection Regime, 28 Intell. Prop. &
89 Id.
90 Id.
26
adequate level of protection of personal data belonging to the
E.U. citizen.91
698/15), the CJEU ruled that the mass data retention powers
that data retention laws were illegal.93 At the time, two English
lawsuit where the ECJ struck down the law on appeal.94 The Watson
91 Id.
93 Id.
95 Brexit Will Happen. The E.U. GDPR Will Happen. You Can't Avoid
co.uk/2016/09/16/data_centres_processors_gdpr_uk_vs_eu/.
27
From its inception the IPA was scrutinized by human rights
organizations who criticized the law and point out that the
activity and phone records.96 Some legal experts say that based
back-ups.).
http://www.cityam.com/256017/snoopers-charter-internet-data-
(explaining that the CJEU ruled on the now expired DRIPA law,
28
III. Analysis
effect).
48 (noting that the GDPR has codified the principle of the right
remain compliant with the GDPR they must abide by these requests
99 Id.
29
data that they have their data, they also must inform them that
101 Id.
47.
103 See generally Bert-Jaap Koops, The Trouble with European Data
http://www.wired.co.uk/article/uk-government-encryption-
snoopers-charter.
30
The IPA and GDPR conflict precisely on the issue of
since they are not taken into consideration when the government
they must collect, retain and unencrypt data to comply with the
in Hell, supra note 85; GDPR - (New) Rights of the Data Subject,
us/news-events/news/gdpr-new-rights-of-the-data-subject.
31
communications service providers have over personal data.108 By
functions like a contract between the data subject and the data
108 Id.
32
as a proxy for its data collection activities. This profound
extent that there is a clear sense of where the data is, and why
112 Id.
113 GDPR - (New) Rights of the Data Subject, supra note 106.
33
information that data controller has on the individual.114 The
own their personal data and can make informed decisions about
114 Id.
115 Id.
116 GDPR - (New) Rights of the Data Subject, supra note 106.
117 Id.
118 Id.
34
information may be held. It also forces a level of compliance
will be used for, and the power to withdraw consent will in the
119 Id.
note 36; GDPR - (New) Rights of the Data Subject, supra note
106.
121 A Primer on the GDPR: What You Need to Know, supra note 33.
2016), https://www.whitecase.com/publications/article/chapter-
16-remedies-and-sanctions-unlocking-eu-general-data-protection.
35
Moreover, the right to withdraw consent triggers the data
Countries Indiscriminately
36
GDPR can only provide adequate protection to personal
in a global economy.126
127 GDPR - (New) Rights of the Data Subject, supra note 106.
37
Third Party country providing essential equivalence128 in terms
130 Id.
38
contractual agreements to accomplish data transfers from the
controllers that they do not own the data about the subject,
they merely have permission to use the data until such a time as
consent is withdrawn.
131 GDPR - (New) Rights of the Data Subject, supra note 106.
necessary for the intended purpose; (2.) when the data subject
obligation; or (6.) when the data concerns a child and has been
39
request to erase any link to, copy or replication of this
133 GDPR - (New) Rights of the Data Subject, supra note 106.
134 Id.
135 Id.
137 Yuli Takatsuki, The Tele2/Watson case: What are the key
40
on exiting, the IPA would still be in violation of Article 45 of
the GDPR.138 The IPA is broadly written so that all forms of data
exit from the E.U. does not mean that companies in the UK will
other country, the UKs exit from the E.U. has created domestic
fieldfisher.com/2017/the-tele2watson-case-what-are-the-key-
takeaways-and-what-is-to-become-of-the-new-investigatory-powers-
act/.
143 Jay, Some Reflections on Brexit and the U.K. Data Protection
144 Id.
41
uncertainty about the future of personal data access, since the
crime, 146 but not mass and indiscriminate data collection in the
believe that there is crime afoot and that the data collected
crime.
In its current form, the IPA will allow the personal data
145 Id.
42
of both Article 7 and 8 of the European Charter148 and the GDPR.
While the GDPR attempts to put power over personal data back in
149 The Law We All Thought A Safe Zombie Bill Is Alive Key
Things You Need To Know About The Snoopers Charter, Data Econ.
zombie-bill-alive-key-things-need-know-snoopers-charter/.
43
to combat terrorism, but this is an insufficient reason for
2317900/minister-says-snoopers-charter-should-be-celebrated-as-
44
to process be obtained in a clear,152 intelligible and accessible
services for E.U. consumers, the law must offer the same level
IPA and the GDPR diverge on the issue of data retention and
153 See A Primer on the GDPR: What You Need to Know, supra note
45
purpose limitation for the data being processed.154 When the GDPR
seems to be a core problem with the IPA, given that the IPA
the other hand the GDPR makes consent a right not a privilege
government authority.
Hell, supra note 85; GDPR - (New) Rights of the Data Subject,
46
Furthering the conflict between the IPA and the GDPR is the
157 The Law We All Thought A Safe Zombie Bill Is Alive Key
Things You Need To Know About The Snoopers Charter, supra note
149.
explicit and legitimate purposes and the consent given for such
purposes.).
note 36.
47
trying to minimize the possibility of data breaches160 which are
being processed.
48
adequate jurisdiction from the GDPR.164 Data security experts
61168 of the IPA are too broad. Almost any justification for
definitions.
165 Id.
166 The Law We All Thought A Safe Zombie Bill Is Alive Key
Things You Need To Know About The Snoopers Charter, supra note
149.
168 Id.
49
IV. Recommendations
but it does not lay out the specific mechanism for enforcing
171 Koops, The Trouble with European Data Protection Law, supra
note 103.
purpose).
50
rectify or erase information, and do so at no cost to the
requesting person.173
all other data controllers. The GDPR is not clear on what the
is not fair to require that companies run with the complete cost
subjects rights.
Consent Explicitly
173 GDPR - (New) Rights of the Data Subject, supra note 106.
51
However, although the drafters had the opportunity to make
data.177 The problem is that the GDPR does not provide guiding
on the matter.178
the clear line of when the data controller has trespassed on the
european-union-n57982067329/.
176 Id.
179 Id.
52
C. The GDPR Reflects a Strong Commitment to Individual Data
Protection
access of data for limited and specific purposes, and yet the
Apply from 25 May 2018, Herbert Smith Freehills (May 06, 2016),
https://www.herbertsmithfreehills.com/latest-thinking/save-the-
data-eu-general-data-protection-regulation-to-apply-from-25-may-
regime, may now find themselves subject to the GDPR if they are
53
IPAs expansive powers181 arguably are the very antithesis of the
the IPA is for the UK to broker its own version of the Data
s-spying-bill-complicates-fate-of-data-transfer-deals.
182 Jay, Some Reflections on Brexit and the U.K. Data Protection
54
obstacle to cross is still to be deemed an adequate
outside the E.U. as the information would have in any other E.U.
with the IPA the best example to follow is the US, which
http://privacylaw.proskauer.com/2016/07/articles/european-
union/privacy-shield-adopted-but-uncertainty-remains/(explaining
current data protection laws in the E.U. and the future GDPR,
as Safe Harbor, will also be what sinks this agreement since the
55
engage in data transfers even with the broad surveillance laws
V. Conclusion
56
Initially at least, the UK will have to adopt the GDPR185
because the extrication of the country from the E.U. will take
Already there are concerns that see that the IPA and the
186 Id.
187 See id. (As we leave the E.U., we will seek to maintain the
UK.).
harmonise [sic] its laws with the GDPR. But the bulk data
57
would be the most affected by the competing demands.190 By
enacted into law, there will likely be many legal challenges and
co.uk/2017/01/09/why_the_uk_is_unlikely_to_get_an_adequacy_deter
mination_post_brexit/.
Hell, supra note 85(quoting Emily Taylor, the author notes that
58