Our annual workshop and lecture – held earlier this month – brought together a wide range of legal academics, lawyers, policy-makers and interested parties to discuss the future of human rights and digital information control.
A number of key themes emerged in our panel sessions including the tensions present in balancing Article 8 and Article 10 rights; the new algorithmic and informational power of commercial actors; the challenges for law enforcement; the liability of online intermediaries; and future technological developments.
The following write up of the event offers a very brief summary report of each panel and of Rosemary Jay’s evening lecture.
Panel A: Social media, online privacy and shaming
Helen James and Emma Nottingham (University of Winchester) began the panel by presenting their research (with Marion Oswald) into the legal and ethical issues raised by the depiction of young children in broadcast TV programmes such as The Secret Life of 4, 5 and 6 Year Olds. They were also concerned with the live-tweeting which accompanied these programmes, noting that very abusive tweets could be directed towards children taking part in the programmes.
A consensus already appears to be emerging among legal commentators that many UK organisations will need to comply with the provisions of the European Union’s General Data Protection Regulation regardless of the progress of the UK’s path to Brexit.
The GDPR was due to be adopted by the UK in May 2018 after a long process of EU legislative reform. As soon as the UK officially leaves the EU, in theory it is possible that the GDPR could be ignored – data protection is already written into UK law in the Data Protection Act 1998. In practice, however, if the UK continued to be part of the European Economic Area then the UK would have to abide by GDPR.
Moreover, as Andrew Cormack points out, any organisation outside the EU that wishes to process the data of “data subjects who are in the Union” will also have to abide by GDPR (Article 3(2)). This would be relevant to a number of UK organisations who need to process the data of EU clients, customers, students etc.
Further, any EU organisation sending personal data to the UK as a non-member state would no longer be able to guarantee that there was “adequate protection” of data in the UK, unless the UK sought to obtain a declaration to the contrary.
The position of the UK vis-à-vis GDPR was summarised by the ICO in a statement published in response to the referendum result:
“If the UK is not part of the EU, then upcoming EU reforms to data protection law would not directly apply to the UK. But if the UK wants to trade with the Single Market on equal terms we would have to prove ‘adequacy’ – in other words UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.”
It is likely, therefore, that elements of the GDPR will be incorporated into UK law however Brexit progresses. Both Anya Proops QC and Eduardo Ustaran argue that any UK business which provides services into the EU will need to understand and comply with GDPR.
In this guest blog post, Brendan Van Alsenoy – legal researcher at the Centre for IT and IP Law, University of Leuven – analyses the scope of the personal use exemption under the new EU General Data Protection Regulation (GDPR).
A note with regard to the relevance of the GDPR to the UK: this post was written before the EU referendum result on 24th June. For the ICO’s statement on the potential regulatory implications of a UK exit from the EU please see this link.
The blog post was originally posted on the CiTiP blog at KU Leuven. It is based on a draft paper included in the CiTiP Working Paper Series. You can follow the CiTiP on Twitter here.
In less than 30 years, individuals have transcended their role as passive “data subjects” to become actively involved in the creation, distribution and consumption of personal data. Unless an exemption or derogation applies, individuals are – at least in theory – subject to data protection law.
The evolving role of the individual
We use information and communication technologies every day. Mobile devices tell us where to eat, who to meet and how to get there. We share pictures, post videos and tweet reviews. We google everything and everyone.
With all these processing capabilities at our fingertips, the question can be asked: are we subject to EU data protection law?