Austrian privacy chief handed leash to EU's data protection beast The leader of the Austrian data protection authority has been elected chair of the body responsible for helping organisations follow European privacy laws. Andrea Jelinek will take the reins at the Article 29 Working Party from the French authority's president, Isabelle Falque-Pierrotin, who has led the body for the past four …
If non-EU companies don't respect GDPR then they are likely to face sanctions which could operate at country level. There would then be a strong incentive for the government of any such country to create local legislation to enforce GDPR rules. Might not be exactly the same penalties, and they might not go to the EU, but the end result would have to be much the same, if trade is to continue. That would be true for both brexited-UK, and other non-EU places like USA, China, Japan, etc.
I suppose what I'm trying to understand is what and how it will work, at the moment we're not exactly going to be non-eu as we are going to follow all the eu rules to get access to the market, so how does GDPR become enforceable if we aren't part of the ECJ but follow the rules? What part of our law is going to allow for the fines to be transferred to our jurisdiction?
On second thoughts it's a mess really isn't it. I see where you are coming from with trade as to be fair that has us by the balls.
I would think that the UK will play by the rules of EU if they want to do business with the EU. A mild or harsh (depending on point of view) variation of the old "the customer is always right".
This sort of thing happens with any cross-country business. Do business in China, you follow both the rules at home and in China.
Edit:
Phil O'Sophical's take on this is probably spot on.
"That would be true for both brexited-UK, and other non-EU places like USA, China, Japan, etc."
Well, the Yanks will ignore all furringer rules, and rely on their country's clout to protect them, Japan and China we don't do much data trade (ignoring certain state sponsored activities). The big issue will be India, where we do an enormous amount of data-trade, and local data protection standards appear to be aligned with exactly what you'd expect of a low wage economy.
"if after brexit we are no longer under the ECJ then who is going to issue fines in the UK under the GDPR and if it's an EU related issue how will they collect from a UK company without any legal options?"
The GDPR has to be implemented in local legislation in each country. That's why there's a new Data Protection Bill going through Parliament now. When it received Royal Assent it will become the new Data Protection Act. Like the others, the ICO will be the body in day-to-day charge. The ECJ doesn't come into it. This will be the situation from this May and unless a subsequent govt. tinkers with it it'll remain. Any govt would be mad to tinker with it except in one specific circumstance because it would greatly harm all manner of trade with the EU, or at least such as survives Brexit.
The one circumstance is that the EU changes or replaces GDPR in which case we'll have to make parallel changes without having had any input into the EU process. It's called "taking back control".
The EU has two main types of acts. Regulations and Directives.
Directives are instructions to EU states to create their own legislation that meets the intent of the directive.
Regulations are exactly that and are automatically part of the law in all EU states.
However that does not stop states creating legislation that goes further than an EU regulation and that along with ensuring that we already have rules in place that will cause us to meet Data Protection adequacy requirements when we have left the EU is what the UK government are currently doing.
I expect how they will enforce any fines once we have left the EU is the same way as they will for any other non EU country. They will send a bill and if you don't pay it then any official from the organisation setting foot in the EU will be arrested.
"However that does not stop states creating legislation that goes further than an EU regulation"
There was an article here a week or so ago about the EU getting at upset that countries hadn't adopted it yet: https://www.theregister.co.uk/2018/01/25/eu_gdpr_infringement_procedure/
1. The GDPR goes into effect in May. We brexit (*if* we do) *after* the GDPR goes into effect.
2. Under the current law working its way through Parliament, the GDPR becomes a UK law after Brexit (as per 1.). The ICO will then have the authority to levy the fine on you.
3. If the government then chooses the revoke the UK version of the GDPR, if you do business in the EU or with EU citizens, you are still liable for any fines brought under EU regulations. How that fine is applied is another question that the Supreme Court will probably have to deal with.
It might be as simple as the EU instructing a law firm in the UK to act on its behalf and sue you in the UK for the amount of the fine, and it may then wend its way through court (with the attached costs), or the EU might simply choose to attach any EU assets you might own (your house in the Costa del Britain, the house in the Provence, your EU bank account) and use that to recover the fine...
Who wants more of the wink-wink nudge-nudge games below. Until the Irish DPC is ousted, what influence do any of the other EU players really have?
-
https://www.irishtimes.com/business/technology/independence-of-data-protection-commissioner-questioned-1.2513682
http://www.thejournal.ie/data-protection-commissioner-new-office-1488473-May2014/
https://qz.com/162791/how-a-bureaucrat-in-a-struggling-country-at-the-edge-of-europe-found-himself-safeguarding-the-worlds-data/
https://qz.com/993995/how-facebooks-fb-sheryl-sandberg-personally-lobbied-irish-prime-minister-enda-kenny-as-shown-by-2014-emails-published-in-the-irish-independent/
For clarity, and to stop spawn of discussion on the facts:
1) Current EE Data Protection DIRECTIVE (1995) is implemented in UK via UK Data Protection (1998)
2) New EU General Data Protection REGULATION applies to all EU (and EEA) countries, directly, from May 25th this year.
3) UK, after Brexit, is planning to continue to 'apply' GDPR requirements via the UK Data Protection Bill currently doing the approval rounds. This Bill will cover areas where GDPR allows member states to choose their own rules (i.e. Security, Defence etc) AND where states can implement GDPR flexibly (such as age of children, 13 versus 16 etc).
4) When it comes to personal data used for marketing rules, EU Privacy DIRECTIVE is implemented in UK via Privacy & Electronic Communications Regulation (PECR) (2003).
5) EU is planning to update ePrivacy DIRECTIVE to be a new EU ePrivacy REGUALTION later this year.
You may all wake up now.
...there's always the international laws etc that will allow judges in foreign courts to produce summons on data that exists in Europe and then look to deport people to foreign courts to try them. In theory it works both ways, expect to see a lot of other countries prescribing to the same set of rules to protect their own national interests. Also, as a"foreign" firm post brexit, which EU country will a firm choose to be represented from if they choose to sell goods/services into Europe, therefore you've accepted the risk to do business in Europe. Either way, companies are caught by the short and curlies, time to make sure your big expensive "legal" guns are fully loaded if your going to fuck about with this, I'm sure some of the European DPAs would be happy to put a few size 12's into a few British companies to protect their own local interests, and vice versa.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
