Data Privacy Comparative Guide

• Published date: 12 November 2020
• Subject Matter: Privacy, Technology, Data Protection, Privacy Protection, Security
• Law Firm: Bortstein Legal Group
• Author: Mr Benjamin Ross

1 Legal and enforcement framework

1.1 Which legislative and regulatory provisions govern data privacy in your jurisdiction?

The main pieces of legislation which govern data privacy in the United Kingdom are the General Data Protection Regulation (2016/679) (GDPR) and the Data Protection Act 2018 (DPA 2018).

The Privacy and Electronic Communications Regulations (PECR) address the use of personal data for electronic marketing and transpose the European ePrivacy Directive (2002/58/EC), until such time as the directly applicable proposed Regulation on Privacy and Electronic Communications is finalised.

However, as the United Kingdom left the European Union on 31 January 2020, it is currently in a transition period until 31 December 2020 and it remains to be seen how much future European legislation (including the proposed ePrivacy Regulation) will continue to apply.

Once the transition period is complete on 31 December 2020, amendments will be made by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 to allow the GDPR and the DPA 2018 to remain effective and integrate fully with UK law (UK GDPR), although there will be some immediate minor adjustments, particularly with regard to international data transfers. At the time of writing, it is unclear how much divergence the UK GDPR will have from the GDPR over time, but companies doing business in Europe and the United Kingdom will need to comply with both regimes.

The main immediate question is whether the United Kingdom will secure an adequacy ruling from the European Commission which would allow data transfers to occur from the European Union to the United Kingdom without further safeguards. This is by no means a certainty, given the small number of countries which have achieved adequacy to date and the length of time (minimum two years) it takes to secure an adequacy ruling.

The US bulk data acquisition regime resulted in the EU-US Privacy Shield being invalidated recently as part of the Schrems II decision. The United Kingdom also engages in such activities, although there are stringent safeguards, as set out in the Investigatory Powers Act 2016. It remains to be seen whether the wide-ranging powers open to UK intelligence agencies will jeopardise a future adequacy ruling by the European Commission after the end of the transition period on 31 December 2020. A recent (at the time of writing) decision by the European Court of Justice ruled that national governments cannot force internet and phone companies to store information such as location data and metadata for reasons of crime prevention or national security. This could well threaten the United Kingdom's efforts to reach a deal with the European Union on data transfers. Even if the United Kingdom were granted adequacy status, privacy campaigners like Max Schrems may well bring a court case against it.

1.2 Do any special regimes apply in specific sectors (eg, banking, insurance, telecommunications, healthcare, advertising) or to specific data types (eg, biometric data)?

Financial services: A number of requirements are common to the GDPR and the financial services regulatory regime in the United Kingdom. As part of their regulatory obligations, financial services firms should establish, maintain and improve appropriate technology and cyber resilience systems and controls, including data protection.

There is also a tension to be navigated and documented between data protection principles such as minimisation of data and financial services regulatory requirements to retain data for specified retention periods - particularly when such financial services regulations are not European in origin.

Cookies and marketing: The PECR sit alongside the DPA 2018 and the GDPR and give individuals specific privacy rights in relation to electronic communications.

The PECR cover the following areas:

• electronic marketing, including marketing calls, texts, emails and faxes;
• the use of cookies and similar technologies for the purposes of tracking information about people accessing a website or other electronic service;
• the security of public electronic communications services; and
• the privacy of customers using communications networks or services as regards traffic and location data, itemised billing, line identification services (eg, caller identification and call return), and directory listings.

Law enforcement: Law enforcement is governed by Part III of the DPA 2018, which implemented the Law Enforcement Directive. The far-reaching nature of these provisions came as a surprise even to the UK government, when it was held that it had largely ignored the DPA 2018 when sharing data concerning the so-called ISIS Beatles (four British ISIS hostage executioners) and had so acted unlawfully. Intelligence agencies have their own more permissive bespoke regime for data processing, as set out in Part IV of the DPA 2018.

Marketing and advertising: While not a separate regime, the Data & Marketing Association has worked closely with the Information Commissioner's Office (ICO) to produce guidance tailored to the specific needs of the UK marketing industry, covering issues such as consent, legitimate interests and profiling. The ICO has also published guidance on the subject and this should be consulted in tandem with this.

Telecommunications: The PECR - which sit alongside the DPA 2018 and the GDPR and are derived from the European ePrivacy Directive - also set out specific rules relating to electronic communications such as marketing calls, cookies, security of communications services and privacy relating to traffic, location data, itemised billing, line identification and directory listings; and give rights to affected persons and companies.

Other specific European legislation applies to the telecommunications industry. The Telecommunications Framework Directive (2002/21/EC) requires telecommunications network and service providers to take appropriate security measures to ensure the security and integrity of telecoms networks.

The Network and Information Systems Regulations 2018 implement the EU Directive on Security of Network and Information Systems. As with the Telecommunications Framework Directive, the regulations require relevant organisations to secure networks by taking technical and organisational measures appropriate to the risk. In a similar vein to the GDPR, organisations must notify a regulator without undue delay and in any event within 72 hours in respect of a significant or substantial incident. The application of these regulations is wider than just telecoms and also covers critical infrastructure in general.

The Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 reflect the EU Telecoms Privacy Directive and permit monitoring of telecommunications systems for limited purposes, such as employee monitoring, provided that it is proportionate and subject to certain procedures.

There are also various pieces of UK legislation which apply to the telecommunications industry from a security and intelligence perspective. The Regulation of Investigatory Powers Act 2000 and its recent regulations govern the interception of communications, the carrying out of surveillance and gathering, and the use and disclosure of data by government agencies, including security and law enforcement services in the interests of national security, prevention of serious crime and promotion of the economic wellbeing of the United Kingdom. The Investigatory Powers Act 2016 requires communication service providers to keep a record of internet history of their subscribers for one year and available for access by public bodies on the production of a warrant or if the data sought is in relation to a 'serious crime'. The Police Act 1997 Act outlines the requirements for the consideration and authorisation of interference in respect of property and wireless telegraphy. The Intelligence Services Act 1994 governs the issue of warrants and authorisations enabling action to be taken by the intelligence services in relation to interference with property and wireless telegraphy.

Pharmaceuticals: Pharmaceutical businesses must consider the effects of the GDPR when processing data for medical research, pharmacovigilance and clinical trials.

The GDPR allows flexibility to process personal data where necessary for scientific research purposes, but additional safeguards must be applied if anonymous data is not being used. The GDPR also provides a limited exemption from the right of erasure of personal data for scientific research purposes, but this must be applied carefully.

EU pharmacovigilance legislation requires businesses to report adverse reactions and applies 'without prejudice' to the data protection rules; it further notes that 'it should be possible' to process personal data within pharmacovigilance reporting requirements while complying with the GDPR. The GDPR introduced a new legal ground for processing special categories of personal data, which may be helpful in the context of pharmacovigilance where the processing is necessary for reasons of public interest or health, but this is subject to various conditions.

The Clinical Trials Regulation (CTR) entered into force in 2014 and is expected to become applicable in 2020; it applies to the conduct of clinical trials throughout the European Union. The European Data Protection Board (EDPB) has clarified in an opinion that both the GDPR and the CTR apply at the same time; and that while the CTR contains specific data protection provisions, it does not permit derogation from or in any way reduce the requirement to comply with the GDPR.

1.3 Do any bilateral and multilateral instruments on data privacy have effect in your jurisdiction?

The Swiss-US Privacy Shield Framework provides a mechanism to comply with Swiss data protection requirements when transferring personal data from Switzerland to the United States. UK...