As we approach the first anniversary of the GDPR being ushered in, it is easy to forget that another piece of associated legislation was due to be introduced across the EU at the same time.
The ePrivacy regulation is destined to supersede the outdated Privacy and Electronic Communication Regulation (PECR) and, in its current draft form, will have radical effects on the way UK companies conduct their B2B sales and marketing activities.
The big change within the agreed draft is that aspects such as emailing, and telemarketing will have to be done on an “opt-in” basis where clear consent will have to be gained. Operating on a legitimate interest basis will not be acceptable.
However, it is some way from being agreed within the EU and the delays on its introduction will continue for some time yet – 2020 is being mooted for finalisation but 2021 is seen as a more realistic completion date.
The DMA has recently issued a blog which explains the current position in more detail – In the end, I am sure that common sense will prevail but don’t assume that the ePrivacy threat has disappeared as it is still skulking around the corridors of the EU.
Is there another monster lurking?
Another spanner in the works is what might happen if we leave the EU without a deal? As discussed in our recent blog, if Britain leaves the EU without a deal we begin to work with Europe from outside the EU and with no recourse to existing relationships, partnerships, legislation etc.
What happens under a no-deal situation?
The ICO has issued guidance about what companies that deal with and in data should be readying themselves for in the event of a no-deal. Elizabeth Denham, UK Information Commissioner, states “At the moment personal data flow is unrestricted because the UK is an EU member state. If the proposed EU withdrawal agreement is approved, businesses can be assured that personal data will continue to flow until 2020 while a longer-term solution can be put in place. However, in the event of ‘no deal’, EU law will require additional measures to be put in place by UK companies when personal data is transferred from the European Economic Area (EEA) to the UK, in order to make them lawful.”
In the event that the UK leaves the EU without a withdrawal agreement, the GDPR will form part of UK domestic law as ‘retained EU law’ (“UK GDPR”) by virtue of section 3 of the EU (Withdrawal) Act 2018 (“EUWA”). However, in its current form the UK GDPR will not function effectively on the day that the UK leaves the EU due to the numerous references to EU laws and institutions and the fact that the UK will cease to be a Member State of the EU. It’s all a bit of a muddle!
Quite what will happen with the ePrivacy Regulation is very much in the balance. The ICO suggests the following: “The EU is replacing the ePrivacy Directive with a new ePrivacy Regulation to sit alongside the GDPR. The new regulation is not yet agreed and is unlikely to be until after exit date. This means it will not form part of UK law by virtue of the EU (Withdrawal) Act 2018. PECR will continue to apply and no specific preparations are needed for exit date.”
Our conclusion isn’t much help, but at this point in the proceedings it’s all we’ve got; all in all, it’s all a bit of a muddle!