For information on Brexit legal issues see https://www.dlapiper.com/en/
uk/focus/brexit-legal-impact/overview. Duncan Calow is partner at DLA
Piper UK LLP.
of developing and launching new publishing
technologies, products and services) and a new
statutory “right to be forgotten” seem to be
getting most of the media headlines. But nuts-and-bolts business issues like simply updating
the terms of all your sub-contractor contracts
and actually having a written record of what
data you hold, what you’re doing with it, why
you’re doing it and who has consented to that,
are going to be just as important.
So, a stubbornly print-on-paper-only book
business with no direct consumer contact, no
online presence and no behavioural marketing
strategy will still have to get its house in order. Cutting-edge digital
publishers with user-generated fan fiction platforms, running
specialist children’s services or conducting online profiling of
student reading lists, will need to do even more. The analysis
involved is not necessarily rocket science, and a good dose of
commercial common sense will go a long way (though not all the
way), but with the GDPR there is a lot to work your way through.
GDPR will still apply
To return to my opening theme, however, doesn’t a UK publisher
have to wait for what Brexit looks like to work out what all
this means for them? Well, remember that the jurisdictional
rules above mean that to the extent that a publisher still sells to
or engages with people in the EU the publisher is still going to
be stuck with the GDPR (at least in respect of relevant EU
data) regardless of Brexit, just like a US publisher. Also, as
things stand, the GDPR will take direct effect in the UK from
25 May 2018, well before any actual UK exit date.
Of course, we still await the UK Government’s Great Repeal
Bill: the legislation setting out how EU law will be enshrined,
reformed or repealed in the UK after Brexit–in particular for
EU Regulations with direct effect, like the GDPR. The UK’s
data protection regulator (the ICO) has explicitly recognised
that a new data protection law will need to be in force and
something different to the current GDPR could emerge from
current discussions. Yet the ICO is also very clear in its belief
that strong data protection law is “central” to Brexit Britain
being “open for business”.
The ICO stresses both stability and that any new UK law will
not be “overly lax” or “flexible”. So whilst there are cultural,
commercial and historic reasons why the UK has taken a
different approach to data protection than other EU Member
States in the past, and may do in the future, the increased
importance of–and need for compliance with–data protection
law is not going to change. Neither are the expectations of
many of the people whose data is being processed. As far as
they and their privacy rights are concerned, they will still want
to know that they’ve never had it so good. ■
A year ago on these pages I was trailing the “little
local difficulty” that was the UK’s impending
Brexit referendum, writes Duncan Calow. For the
Frankfurt edition in October I set out how media
lawyers were trying to make sense of the
referendum result–with a little help from the
Marx Brothers. Since then there have been other
important election results to contemplate and
there are more on the way elsewhere. To misquote
a former prime minister and publisher (if he really
ever did say it): we do seem to be enjoying a lot of
events at the moment, dear boy, a lot of events.
Which, unsurprisingly, means a lot of people–
and not just lawyers–are now trying to make sense of a lot of
different things. But, for me, a key challenge–at least as far as the
law is concerned–is still the same as described in my LBF article
last year, and that’s working out what isn’t going change, as well
as what might. Or indeed, what is going to change come what
May (pun intended). So, in other news… let’s take a subject
we’ve grappled with before and which also used to be considered
as safe and boring as discussions about the Common Market.
Data protection was certainly once an overlooked area of law.
In a high profile case, a data protection specialist was once
famously introduced to the court as “the anaesthetist”. Yet as a
senior Google executive has memorably described, concern
over privacy now runs through business and, in particular, the
media and online, like a live rail on a train track. Treading
without care can bring a nasty wake-up for those still sleepwalking. Fines and regulatory sanctions have added to the
risks, which will increase further with something called the
General Data Protection Regulation (GDPR).
The GDPR was finally agreed last year after four years of
negotiation, and is set to transform the legal landscape, but not just
within the EU. EU-based entities processing personal data outside
the EU, and entities outside the EU but targeting or monitoring
people in the EU, will also be subject to the new law. So US
publishers handling EU data, and EU publishers processing in the
US, will be caught. And before anyone stifles a yawn, fines for
non-compliance are now up to €20m or 4% of global annual
turnover–whichever is higher. And no, those figures aren’t a typo.
What they are is a clear statement of intent that privacy and
personal data should now be taken as seriously as, say, the law
on price-fixing and other aspects of competition and anti-trust.
The latter being something that some of the biggest players in
publishing have been reminded of the hard way in recent years.
But the GDPR will have an impact on everyone, regardless of
company size, in the publishing business. As I like to stress, this
is not just about “Big Data” but, with so much of the
publishing back-office now in digital form, there is certainly a
need for everyone to do “Smart Data”.
Big picture GDPR concepts like “privacy by design” and
“privacy by default” (which will need baking into the process
Keep calm and carry on processing