UK Privacy Regulator Explains New Regulatory Powers

Brett Schlossberg
King & Spalding
Contact
LinkedIn
Facebook
X
Send
Embed

On Friday, May 4, 2018, the Deputy Director of the United Kingdom’s (“UK”) Information Commissioner’s Office (“ICO”), James Dipple-Johnstone, stated in a blog post that the General Data Protection Regulation (“GDPR”) would not provide regulators with sufficient powers to enforce the new regulations. Although the GDPR, which comes into force on May 25, would expand the scope of legal protections afforded to personal information and impose higher obligations on companies that process and store such information, Dipple-Johnstone asserted that the GDPR does not provide investigators with the requisite authority to inspect how personal information is stored and shared. As a result, Dipple-Johnstone discussed the need for greater enforcement powers and explained how he has worked with UK legislators to ensure a proper balance is struck.

In support of his call for greater enforcement powers, Dipple-Johnstone cited the fact that the ICO’s “powers to prosecute any failure to provide information [and] ability to go to court to request a warrant to search a premises” stem from UK domestic laws, not the GDPR.  The Deputy Director explained in his blog post that “it has become increasing clear that some of [the ICO’s] powers are not fit for purpose for the challenging remit we have in the digital age.” Emphasizing a need to move at an adequate pace for the rapidly changing digital landscape, Dipple-Johnstone stated he did not believe that the expanded scope and enhanced penalties under the GDPR provide sufficient mobility to act effectively in this new landscape.

In order to achieve these goals, the ICO has worked with the UK government to expand its enforcement authority under the UK Data Protection Bill (the “Bill”), and the UK government has responded positively by making amendments to the Bill.  The strengthened powers include issuing urgent notices to individuals and organizations that must be complied with within 24 hours.  The ICO would also have the ability to inspect and assess compliance without notice, and it will be a criminal offence for an organization to destroy or alter information that would serve as evidence.

Since Article 23 of the GDPR provides its member states some discretion in how to apply the regulation, it is possible for regulators in other European countries to take stances similar to those espoused by Dipple-Johnstone.  It will be important for companies subject to the GDPR and other European data regulations to pay attention to further announcements from regulatory officials in this regard, as it is currently unclear whether other countries will follow the ICO’s lead.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© King & Spalding | Attorney Advertising

Written by:

King & Spalding
King & Spalding
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

King & Spalding on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide