By Mr Andrew Charlesworth, Reader in IT Law (University of Bristol Law School).
On Friday 25 May 2018, the EU General Data Protection Regulation (Regulation (EU) 2016/679), commonly referred to by its acronym of GDPR, comes into force across the EU. In the UK, this will be accompanied by the coming into force of the Data Protection Act 2018 which received Royal Assent on 23 May 2018. The new Act repeals the existing Data Protection Act 1998 and revokes the secondary legislation made under the 1998 Act.
The GDPR is directly applicable, which means that with the exception of limited areas of Member State discretion, it applies in the UK without further need for national legislation. The Data Protection Act 2018 addresses those areas of Member State discretion, and also implements the new Data Protection Directive for Police and Criminal Justice Authorities (Directive (EU) 2016/680), which is designed to protect individuals’ personal data when their data is being processed by police and criminal justice authorities, and to improve cooperation in the fight against terrorism and cross-border crime in the EU by enabling police and criminal justice authorities in EU countries to exchange information necessary for investigations efficiently and effectively.
Andrew Charlesworth, Reader in IT law at the University of Bristol Law School, is currently actively engaged in the analysis of the new rules through a series of short articles on the GDPR in conjunction with Cloudview (UK) Limited. Andrew is also providing key expertise in the development of the Privacy Flag initiative. You can access Andrew’s analysis and other work through the links provided in this post.
Analysis of the GDPR
Andrew’s articles published to date include:
- A Very Short History of Data Protection, exploring the background to the GDPR, and tracing the history of data protection law since the 1960s.
- The New Data Protection Environment: The Legislative Framework, outlining the latest developments in legislation, including the GDPR, the UK Data Protection Act 2018, and the proposed EU ePrivacy Regulation, which is intended to replace the EU Privacy and Electronic Communications Directive 2002 (2002/58/EC) at some point in 2019.
- The New Data Protection Environment: Regulatory Agencies, examines how the role of the regulatory bodies in developing and enforcing national data protection laws, will evolve after the GDPR, focusing on UK Information Commissioner’s Office.
Future articles will consider the impact of the new regulatory regime upon data controllers, data processors and data subjects and the role technology can play in facilitating rather than undermining data privacy goals. An example of the type of impact that is likely can be seen in the White Paper ‘Watching the Watchers‘, on CCTV and the GDPR recently written for Cloudview (UK) Limited.
Andrew’s work on the GDPR has also included involvement in a major pan-European Horizon 2020 research project, Privacy Flag, co-funded by the European Commission and the Swiss State Secretariat for Education, Research and Innovation. Privacy Flag has created mobile and browser apps to allow citizens to check whether their rights as data subjects are being respected; and tools and services, including privacy certification, to help companies comply with personal data protection requirements.