Shearman And Sterling

Brexit and GDPR, London Skyline

January 03, 2018

Brexit and GDPR: What to Expect in 2018


Jump to...


In a referendum held Thursday, June 23, 2016, the citizens of the United Kingdom (the “UK”) voted to leave the European Union (“EU”) in the so-called “Brexit”.  Although the European Union Referendum Act, which authorized holding the referendum, is silent as to further steps, last year the European Union (Notification of Withdrawal) Act 2017 authorized the Prime Minister to notify the EU of the UK’s intent to withdraw.  The Prime Minister made this notification on March 29, 2017 under Article 50 of the Treaty on European Union, which provides two years for the parties to negotiate a withdrawal agreement, unless the UK and the European Council unanimously decide to extend this period.[1]  Further Acts and proposals in the UK have also sought to give effect to the results of the referendum and prepare for the separation of the UK and EU.

One area of concern in the context of Brexit is the UK’s legal framework for privacy and data protection.  The UK government has recognized that it will still be part of the EU when the General Data Protection Regulation (the “GDPR”) comes into effect on May 25, 2018.[2]  The UK has stated that it will comply with the GDPR, and that its compliance will not be affected by Brexit.[3]  To this end, on August 7, 2017, the UK Department of Digital, Culture, Media and Sport (the “DCMS”) published a Statement of Intent, in which it outlined the policy and objectives behind a proposed Data Protection Bill (the “Bill”), which was introduced in Parliament on September 13, 2017 and is currently making its way through both houses.[4] 

In the discussion below, we provide the key takeaways from the Bill, the differences between the Bill and the GDPR, the differences between the GDPR and the EU Directive (defined below), and then consider in greater detail the proposals contained in the Bill and how those proposals may affect companies in the UK, EU, United States and elsewhere post-Brexit.

Key Takeaways from the Bill

The suite of proposals contained in the Bill will:

  • Broaden the definition of “personal data” contained in the UK Data Protection Act 1998
  • Require unambiguous consent for processing personal data, and explicit consent with respect to processing an individual’s sensitive data
  • Require parents and guardians to consent on behalf of children under the age of 13
  • Require simpler methods for individuals to withdraw consent for the use of personal data
  • Provide simpler methods for individuals to access their personal data held by organisations
  • Allow individuals to request, and in some cases require, companies to delete their personal data
  • Facilitate customers’ wishes to migrate personal data when changing service providers
  • Increase available monetary sanctions up to £17 million ($22.1 million) or 4% of a company’s global turnover (whichever is higher)

The Current Legal Framework

Since the early 1990’s, data privacy has been a significant concern of EU institutions.  Personal privacy and data protection are enshrined in human rights treaties to which the EU adheres,[5] and the EU first adopted the European Data Privacy Directive in 1995 (the “1995 Directive”),[6] which was transposed into local law by Member States, including by the Data Protection Act 1998 (“1998 Act”) in the UK.[7]  

Migration to and Retention of the GDPR

In April 2016, the EU adopted the GDPR, which will supersede the 1995 Directive and have direct effect in the 28 Member States on May 25, 2018, without the need for national transposition.  Since the UK will still be a member of the EU on the date the GDPR enters into effect, the GDPR will become part of UK law.  Under the proposed European Union (Withdrawal) Bill (also referred to as the “Great Repeal Bill”), the GDPR would remain UK law after Brexit, but it could be amended in the UK thereafter.[8]  Additionally, regarding the processing of personal data for criminal law enforcement purposes, the EU developed the Data Protection Law Enforcement Directive (“DPLED”), which is also scheduled to come into effect in Member States in May 2018.[9]  However, given that this latter instrument is an EU Directive, Member States will have leeway in how they transpose the DPLED into national law.

Proposed Measures of the Bill

Rather than completely overhauling the 1998 Act, the Bill, as proposed by the DCMS,  subjects most processing of personal data to the GDPR and seeks to enhance and bolster the laws already in place to reflect the changing nature and scope of the digital economy.[10]  Some of the differences between the Bill and the GDPR are due to the derogations that exist under the GDPR.  Part 2 of the Bill supplements the GDPR and applies a broadly equivalent regime to certain types of processing to which the GDPR does not apply.  Some salient aspects of the Bill are discussed below as well as some key differences between the GDPR and its predecessor, the 1995 Directive.


Arguably the most notable development comparing the GDPR to the 1995 Directive is the extended jurisdiction of the GDPR. Unlike the 1995 Directive, which required the company to be established in the EU or use equipment situated in the EU to process data, the GDPR will apply to the processing of personal data of data subjects in the EU by a controller or processor not based in the EU, where the activities relate to (i) offering goods or services to EU citizens and (ii) the monitoring of behaviour that takes place within the EU. Under the GDPR, non-EU businesses processing the data of EU citizens must also appoint an EU-based representative.

Also, unlike the 1995 Directive, which required implementation through national legislation, such as the UK’s Data Protection Act, GDPR is a binding piece of legislation that will be legally enforceable as soon as it comes into effect on May 25 and will apply to all EU nations and every company holding data on EU citizens.

Since the UK is leaving the EU, the UK Bill proposes to apply the new standards to all general data, not just areas which previously came under EU competence.11

Definition of Personal Data

Similar to the approach taken by the GDPR, the Bill expands the definition of “personal data” to reflect the growth and development of technology since the passage of the 1998 Act. Personal data is defined to encompass, for example, IP addresses, internet cookies and DNA.

Privacy by Design

One of the key changes under the GDPR is the concept of “Privacy by Design” or “Privacy by Default.” The current data protection rules in the EU do not have this concept and no EU law ensures that these measures have to be taken into account. Companies are in essence required to implement appropriate technical and organisational measures regarding the protection of data from the onset of the design of a system and must hold and process only the data absolutely necessary for the completion of the duties involved (i.e., data minimization), as well as limiting access to the data only to those involved in the processing.


Compared to the 1995 Directive, the conditions for consent have been tightened under GDPR. Specifically, the request for consent must be given in an intelligible and easily accessible form attaching the purpose for data processing to that consent. Consent must also be clear and distinguishable from other matters and provided in an intelligible and easily accessible form. It must also be easy for an individual to withdraw their consent.

Aligning with the GDPR,14 an individual’s consent to the use of his or her personal data under the UK bill must not be ambiguous, and not based on the use of default opt-out or pre-checked tick boxes.15 Consent must also be explicit in order to process sensitive personal data. In respect of children under the age of 13, parents or guardians will be required to give their consent to information society services16 (defined as “any service normally provided for remuneration, at a distance, by means of electronic equipment for the processing (including digital compression) and storage of data and at the individual request of a recipient of a service”).17 Under the GDPR, this age is 16 years.18

Additionally, the Bill, contrary to the GDPR, excludes “preventive or counselling services” from the definition of “information society services.”19

The Bill, similar to the GDPR,20 also anticipates an easier withdrawal of consent for all individuals.21


In harmony with the GDPR,22 pursuant to the Bill, it will become easier for data subjects to require an organisation to disclose personal data it holds.23 This will be required at no cost, provided the request is not manifestly unfounded or excessive.24 Organisations will also be required to clearly state how individuals may access their information.25

Data Portability

Similar to the measures contemplated by the GDPR,26 the Bill sets out new rules enabling customers to move their data from one service provider to another, which gives more choice to customers and encourages competition and innovation in many industries.27 Moreover, if an individual switches internet service providers, the Bill will facilitate the transfer of personal data contained in file storage services, such as personal photographs, to the new internet service provider.28

Data Subject Rights

The GDPR has also introduced a number of data subject rights, which include:

  • The right to be notified by the processor or controller of data breaches (see below for more details).

  • The right for data subjects to obtain confirmation from the data controller with respect to whether data concerning them is being processed, where and for what purpose. This right currently exists in the UK and under the 1995 Directive and is commonly referred to as subject access. Under the current rule, organisations were required to respond to a subject access request within 40 calendar days. GDPR enhances these rights by requiring responses be within a month, generally without charge, and with additional information, such as data retention periods.

  • The right to compel the data controller to erase his or her personal data, cease further dissemination of the data, and potentially have third parties cease processing the data further (i.e., the right to be forgotten or “Data Erasure”). Both the Bill29 and the GDPR30 set out explicitly the “right to be forgotten”, which means that individuals will be able to request that their personal data be erased, including the ability to request, under certain circumstances, that social media platforms delete all or some of one’s posts. A particular measure proposed by the Bill, which does not appear in the GDPR, will give individuals the right to require social media platforms to delete information posted during one’s childhood.31 These measures in the Bill are different from the “right to be forgotten” in the context of search engines, as expressed in a May 13, 2014 ruling of the European Court of Justice (the “ECJ”).32 Under the ECJ’s ruling, authorities or courts may require Google and other search engines to remove links to personal information, even if such information was published legally.33

  • The right for the data subject to receive the personal data concerning them, which they previously provided and the right to transmit that data to another controller.


In respect of profiling, the Bill will give a greater say to individuals in decisions made about them on the basis of automated processing.34 Moreover, individuals will be able to request that decisions based on automated processing be reviewed by a person.35 The measures contemplated by the GDPR seem less robust as they allow the data subject to receive personal data concerning him or her that he or she provided to the controller. However, there is no right for the individuals to partake in the significant decision-making, nor any right that such decisions are taken by a person.36

Data Breaches

In the event of a data breach that puts the rights and freedoms of the individual at risk, the Bill—aligning with the GDPR37 —would require the data controller to notify, within 72 hours, the Information Commissioner’s Officer (the “ICO”), which is the public body in the UK in charge of upholding information rights and data privacy.38 GDPR also requires data processors to notify their customers, the controllers, “without undue delay” when they become aware of a data breach.

The Bill and the GDPR also state that if the breach poses a “high risk” to individuals, the company must also notify the individuals affected by the breach and prescribes that organisations involved in “high-risk” data processing must carry out an impact assessment to identify any risks and how to mitigate such risks.39

Data Protection Officers

Under the GDPR, it will no longer be necessary to submit notifications or registrations to each multinational’s local data protection officer of data processing activities, nor will it be required to notify or obtain approval for transfers based on Model Contract Clauses. Rather, the GDPR includes internal record keeping requirements that organisations must be able to produce to demonstrate compliance with the GDPR. What is more, the appointment of a data protection officer will be mandatory for those controllers and processors whose core activities consist of processing operations, which require regular monitoring of the data subjects on a large scale or special categories of data relating to criminal convictions. Article 29 Working Party guidelines’ examples of large-scale processing include: processing of patient data by a hospital, customer data by an insurance company or a bank, real-time geolocation data of customers by an international fast food chain, and behavioural advertising by a search engine. The GDPR also sets forth the specific requirements a data protection officer must meet and other obligations in connection with the performance of his or her duties.

EU Representatives for Controllers Based Outside of Its Borders

While GDPR requires the appointment of a representative for controllers that operate within the EU but are based outside of its borders, the UK Bill expressly states that any references to data protection representatives should be omitted.

Collective Redress Option

The GDPR offers EU member states an optional provision allowing for collective redress for consumers via third parties, such as consumer privacy groups acting independently and lodging data protection complaints on consumers’ behalf. The UK bill does not include this provision in the current draft.


The GDPR contemplates fines on both controllers and processors of up to 4% of annual global turnover or €20 million (whichever is greater).

In line with the GDPR,40 and pursuant to the principle of proportionality, the ICO will be able to impose civil sanctions up to £17 million ($22.1 million) or 4% of the company’s global turnover, whichever is greater, in comparison with the present cap of £500,000 (approximately $650,100) available under the 1998 Act.41 Further, the ICO and the Crown Prosecution Service, as well as equivalent prosecutorial agencies in Scotland and Northern Ireland, will continue to prosecute offenders under applicable criminal laws. The most serious offences will become recordable (i.e., recorded on a police database in the UK, which can be disclosed as part of previous convictions or criminality checks) pursuant to the Bill.42 The Bill also creates two new criminal offences: (i) intentionally or recklessly re-identifying individuals from anonymized or pseudonymized data, and (ii) altering records with intent to prevent disclosure following a subject access request.43 The Bill also seeks to widen the existing offence of unlawfully obtaining data to include the act of retaining data against the wishes of the controller, even if it was obtained lawfully.44 Journalists and whistle-blowers, however, will benefit from express exemptions under the Bill.45

Looking Through the Brexit Lens:  What Businesses Need to Know

If the Bill is adopted in its current state, its workability and success will be determined by its performance post-Brexit.  Upon the UK’s departure from the EU, it will become a third country for purposes of EU law.  As such, a number of instruments will need to be put in place to ensure a continued successful relationship with other polities regarding the transfer and protection of data, including, importantly, the EU and the United States. 

With respect to the EU, post-Brexit, the UK will be subject to Article 45 of the GDPR, which stipulates that data transfers will only be permissible if the UK as a third country ensures an adequate level of protection.[46]  The EU Commission could adopt an adequacy decision in respect of the UK, as it has done for several countries under the 1995 Directive, and which would ensure an all-encompassing and clear agreement permitting transfers of personal information from the EU to the UK.[47]  In order to obtain a finding of adequacy, in essence, the EU Commission examines, most notably, the strength of the legal framework in question, the effectiveness of the domestic regulator and the petitioner’s international commitments to data protection.[48]

However, if the UK is unable to obtain this designation, then in accordance with Article 46 of the GDPR, cross-border data transfers could still take place if the recipient outside of the EU puts appropriate safeguards in place, which include standard contract clauses or binding corporate rules.  These alternative measures would involve added costs and red tape for businesses.  For purposes of legal certainty and as the strongest guarantee of the free flow of data, an EU Commission adequacy decision would be the preferred approach.

Regarding the United States, post-Brexit, the transfer of data will no longer be governed by either (i) the EU-U.S. Privacy Shield, which established the legal framework pursuant to which transatlantic transfers of data may take place for commercial purposes between the EU and the United States,[49] or (ii) the EU-U.S. Umbrella Agreement, which established a comprehensive high-level data protection framework for EU-U.S. law enforcement cooperation.[50]  Consequently, the UK will be at liberty to choose the mechanisms pursuant to which it wishes to proceed with the United States.  However, given the general consensus that the UK is unlikely to diverge from the GDPR, the UK would be able to adopt its own equivalence decision with respect to the United States and its own privacy shield.  This would mirror the approach taken by Switzerland and recently advocated by the European Union Committee of the UK House of Lords.  Not only does Switzerland have an adequacy finding by the Commission, but it also has in place a Privacy Shield Agreement with the United States identical to the EU-U.S. agreement.[51]


Overall, the proposals contained in the Bill must be welcomed as a sign that the UK government is implementing the GDPR and other developments, and it is doing so with an eye toward certainty and an orderly Brexit in the field of data privacy.  This is imperative because data privacy and data protection impact not only personal rights, but a significant portion of the digital economy.  However, the Bill is still only the first step as a number of gaps remain, such as the UK’s relationship with the United States and the EU. 

Although this article focuses on the UK data protection bill, other EU Member States also have implementing legislation at various stages working through their respective legislative chambers.  The attached table summarizes the status of implementing acts in other EU Member States.  As we see in the UK data protection bill, many other EU Member States have also taken advantage of the various GDPR provisions that allow for Member State flexibility. Notably, areas worth monitoring closely include: age of consent, transparency, the processing of “sensitive personal data”, data subject rights in terms of access and profiling, and rules related to processing of HR data or data processing for research purposes.

Key Takeaways

The introduction of GDPR represents one of the most significant shifts in data privacy standards in several decades.  Any organisation that processes EU citizens’ data should assess how the GDPR applies your organisation and implement a plan to prepare for the new law before it goes into effect in May, taking into account also the complexities that are added by Brexit. 

Here are 12 steps to take now to prepare for the GDPR, under the UK Information Commissioner’s Office Guidance:

Status of GDPR Implementation in EU Member States






Data Protection Amendment Act 2018

On May 12, 2017, the Austrian government adopted the Act, which will enter into force on May 25, 2018

  • Under the draft law, the age of consent for children is 14

  • The GDPR applies the right to data protection to natural persons only; the draft law does not restrict the application to natural persons


Data Protection Act

  • On August 23, 2017, a draft bill of the Act was introduced

  • A second implementing bill covering the GDPR's data processing principles and conditions is being prepared and will be introduced before Parliament in the coming months

No major deviations from the GDPR in the draft bill


Data protection law

  • On November 15, 2017, the Bulgarian Personal Data Protection Authority introduced a 10-step action plan for GDPR implementation

  • The new law is expected to be adopted by May 2018

It remains to be seen how the GDPR will be implemented in Bulgaria



No bill as of yet

It remains to be seen how the GDPR will be implemented in Croatia



No bill as of yet

It remains to be seen how the GDPR will be implemented in Cyprus

Czech Republic

Act on Personal Data Protection Act

  • On August 18, 2017, the draft law was published by the Czech Ministry of Interior

  • The draft law has yet to be approved by the Czech government and Parliament

  • Given the October 2017 general election in Czech Republic, it seems unlikely that there will be major developments until 2018

  • The amendment is intended to come into force in May 2018

  • Under the draft law, the age of child consent is 13

  • Otherwise, the draft law is not stricter than the GDPR


Supplementary Provisions for a Regulation on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Information

  • In July and August 2017, a public consultation concerning the proposal was conducted; the results of the consultation have yet to be published

  • Under the proposal, the age of child consent is 13



  • No bill as of yet

  • On October 14, 2016, the Estonian Data Protection Inspectorate drafted an overview of the status of GDPR implementation and gave recommendations on how the GDPR should be implemented in Estonia

It remains to be seen how the GDPR will be implemented in Estonia



  • No bill as of yet

  • In February 2016, the Ministry of Justice set up a working group whose main task was to prepare a legislative proposal on implementation

  • The working group recommended that the current legislation should be repealed and that a new act supplementing the GDPR should be adopted

  • On June 21, 2017, the government published a report on implementation

  • The consultation phase of the working group's proposal ran until September 8, 2017

  • It is expected that the new Data Protection Act will be submitted to Parliament during early Spring 2018

  • No decision has yet been made, but the governmental report proposed the age of consent for children at 13 or 15


Digital Republic Law

  • Before the entry into force of the GDPR, legislation was adopted that incorporated certain elements of the GDPR into French law

  • On March 27, 2017, the French Data Protection Authority (CNIL) recommended that a new Data Protection Act be adopted

  • Digital Republic Law was adopted on October 7, 2016

  • Under the Law, the age of child consent is 13

  • The Law contains additional conditions, including limitations with regard to the processing of genetic data, biometric data or data concerning health


Federal Data Protection Act

  • On June 30, 2017, Germany was the first Member State to implement the GDPR by passing a revised form of the Federal Data Protection Act

  • The age of child consent is the same as the GDPR (i.e., 16)

  • The Act provides for a wider scope than the GDPR as far as the appointment of data protection officers (DPO's) is concerned

  • The Act requires written employee consent for the processing of employee data

  • The Act restricts the right to access personal data in certain circumstances

  • The processing of special categories of personal data is permitted without the consent of the data subject if required for reasons relating to social security, healthcare, employment and other certain public interest



  • No bill as of yet

  • There is a legislative committee looking at opening clauses

It remains to be seen how the GDPR will be implemented in Greece


Privacy Act

  • In January 2017, the Hungarian Data Protection Authority proposed to the Ministry of Justice to set up a working group to discuss the GDPR

  • The Hungarian government prepared and published a draft of the Act at the end of August 2017

  • The deadline for submitting comments ended on September 8, 2017

  • The Act has yet to be submitted to the Hungarian Parliament, but it is expected that it will be accepted in 2018

  • The Hungarian Data Protection Authority published a 12-step guide on how to get ready for the GDPR

  • The draft Act limits the changes to those necessary for the implementation of the GDPR

  • One difference is that that the Act intends to extend the GDPR provisions to every kind of data processing activity


General Scheme of the Data Protection Bill 2017

  • The draft Bill was published in May 2017

  • On July 5, 2017, the Irish Cabinet officially decided to set the age of consent of the child to 13

  • The Bill contains an exemption from the GDPR for processing that is done for journalistic purposes or the purposes of academic, artistic or literary expression where compliance with GDPR would be incompatible with the freedom of expression

  • The Bill contains a list of non-exhaustive public interest objectives which may be invoked to restrict organisations' obligations and individuals' rights under the GDPR

  • The Bill restricts data subjects' rights in respect of processing (i) data necessary for the defence of a legal claim, (ii) opinions given in confidence, and (iii) communications protected by legal advice or privilege

  • The Bill provides for derogations from specified data subject rights for processing for archiving purposes in the public interest, scientific, historical research or statistical purposes

  • The Bill permits the processing of special categories of data if necessary for the public interest

  • The Bill gives greater powers to the Data Protection Commission



  • No bill as of yet

  • On May 23, 2017, the Italian Data Protection Authority issued guidelines regarding key topics of the GDPR and relevant implementation in practice

  • A bill of law delegating the government to issue a decree to update the current legislation to make it compliant with the GDPR passed the Senate exam and is pending before the Chamber of Deputies

It remains to be seen how the GDPR will be implemented in Italy


Personal Data Processing Law

  • The draft bill was published on September 13, 2017

  • On October 12, 2017, a draft law prepared by the Latvian Ministry of Justice was adopted

  • Under the draft law, the age of child consent is 13

  • The draft law includes specific provisions and exceptions covering data processing for journalistic, academic, artistic and literary expression


Law on Legal Protection of Personal Data

  • On June 15, 2017, the draft law was published

It remains to be seen how the GDPR will be implemented in Lithuania


Law regarding the creation of the National Commission for Data Protection and the implementation of the GDPR

  • A draft bill was submitted to Parliament on September 12, 2017

  • The draft bill grants an exemption in the event of data processing for the purposes of journalism, university research, art or literature

  • The draft bill grants an exemption, subject to certain exceptions, in the event of data processing for the purposes of statistics or scientific or historical research

  • Regarding the processing of sensitive data, the draft bill confirms that such processing is allowed for certain medical bodies and healthcare as well as for research bodies, social security organisms, insurance companies, pension funds and other approved organisms



No bill as of yet

It remains to be seen how the GDPR will be implemented in Malta


Dutch GDPR Implementation Act

  • The ministerial draft bill was open for public consultation between December 9, 2016 and January 20, 2017

  • 67 comments were received from interested parties

  • On April 6, 2017, the Dutch regulator advised the State Secretary of security and justice on the draft Act asking for greater powers and more independence

  • No further draft of the Act has been issued, but is expected by the end of 2017 The Act expects to implement the GDPR on May 25, 2018

On the government website, it indicates that when implementing European regulations, the starting point is “policy neutrality.” This means that current national law will be maintained to the extent possible under the GDPR


Personal Data Protection Act

  • On March 28, 2017, the Ministry of Digital Affairs presented a preliminary draft of certain provisions of a new Personal Data Protection Act

  • On September 14, 2017, the draft was presented to the public and the relevant authorities for consultations, which is the first step of the official legislative process

  • The age of child consent under the draft is 13

  • The draft contemplates a derogation pursuant to which the amount of financial penalty that may be imposed on public entities is capped at PLN 100,000 (approximately EUR 24,000)



  • No bill as of yet

  • On August 24, 2017, a working group was established for the purpose of preparing the Portuguese legislation for the application of the GDPR

  • The working group has until December 31, 2017 to prepare the draft legislation

It remains to be seen how the GDPR will be implemented in Portugal



  • A draft bill in Romanian was published on September 5, 2017

  • The Act was open for public consultation until September 25, 2017

No major deviations from the GDPR.


Act on Personal Data Protection

  • On November 7, 2016, the Slovak Office for Personal Data Protection (DPA) published preliminary information on the new Act, which was a general document containing basic facts with respect to the proposed legislation (not in draft form)

  • The DPA published its second proposal of the new Act, following the ministry's interdepartmental consultation

  • The new Act will enter into force on May 25, 2018

  • The main parts of the new Act will apply to processing of personal data in the course of an activity which falls outside the scope of the GDPR (e.g., processing of personal data by the police, military police, financial administration, prosecutors and courts for the prevention of offences)

  • Under the proposal, the controller may process personal data without the data subject's consent if the processing is necessary for journalistic purposes and the purposes of academic, artistic or literary expression unless the controller infringes the personal rights of a data subject

  • The proposal introduces an additional condition with regard to the processing of genetic data, biometric data or data concerning health; the controller may process these types of personal data if processing is based on a legal ground, a special law or international treaty


Personal Data Protection Act

  • According to the website of the Slovenian Information Commissioner, the details of the Act are not published yet

  • The public consultation were expected to start in September 2017

  • The new Act is expected to be adopted by May 2018

It remains to be seen how the GDPR will be implemented in Slovenia


Basic Act of Personal Data Protection

  • At the end of June 2017, the preliminary draft law was presented to the Council of Ministers

  • The term granted to stakeholders to provide comments ended on July 19, 2017

  • It is expected that the Council of Ministers will approve the draft Act by the end of 2017 and pass it to Parliament for deliberation and approval in 2018

  • Age of child consent is 13

  • The draft includes a description of sanctionable conduct, distinguishing between very serious, serious and minor infractions


Swedish Data Protection Act

  • On February 25, 2016, Sweden's government summoned a specific investigator with the objective of proposing a new national regulation to supplement the GDPR

  • A report and draft bill were published on May 12, 2017

  • Stakeholders had until September 2017 to revert to the government

  • Government to prepare draft bill for Parliament on the basis of the comments received

  • Under the draft bill, the age of child consent is 13

  • The GDPR will not limit the Swedish constitutional provisions on freedom of the press and freedom of expression

  • The proposed bill introduces an exemption from certain provisions of the GDPR for the processing of personal data for journalistic purposed or for academic, artistic or literary expression




[1] Article 50, Treaty on European Union, OJ C 326, 26.10.2012, p. 13-390, available at

[2] Regulation 2016/679 EU on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC, OJ L 119, 4.5.2016, p. 1-88, available at

[3] Information Commissioner’s Office, “Overview of the General Data Protection Regulation (GDPR),” available at

[4] “A New Data Protection Bill:  Our Planned Reforms, Statement of Intent”, DCMS, August 7, 2017, available at

[5] Article 8 of the European Convention of Human Rights (the “ECHR”) sets forth the right to respect for private and family life, the home and correspondence, available at, whose jurisprudence was historically adhered to by the EU courts and since 2012, pursuant to Article 6(2) of the EU Lisbon treaty, now forms part of EU law.  Similarly, Article 7 of the Charter of Fundamental Rights of the European Union (the “Charter”) sets out the right to respect for private and family life and Article 8 lays down the right to the protection of personal data, available at

[6] Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, available at

[7] Data Protection Act 1998, available at

[8] European Union (Withdrawal) Bill 2017-19, Clause 3, available at

[9] Directive 2016/680 EU on the protection of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, OJ L 119/1, May 4, 2016, pp. 1-88, available at

[10] Data Protection Bill (HL Bill 66), available at,

[11] Supra note 4, pp. 14.  The EU has exclusive competence in the areas of:  customs; competition rules; Euro monetary policy; common fisheries policy; common commercial policy; and the conclusion of international agreements under certain conditions.  The EU shares competence with Member States in areas relating to:  the internal market; specific areas relating to social policy; economic, social and territorial cohesion; agriculture and fisheries; environment; consumer protection; transport; trans-European networks; energy; area of freedom, security and justice; certain public health matters; research, technological development, space; and development cooperation and humanitarian aid.  The EU also enjoys supporting competence (i.e., Member States are not required to act pursuant to an EU act, but the EU complements Member States’ laws or regulations) over the following policy areas:  the protection and improvement of human health; industry; culture; tourism; education, vocational training, youth and sport; civil protection; administrative cooperation.  See “Division of competences within the European Union”, available at:

[12] Article 4 (Definitions), Regulation 2016/679 EU on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC, OJ L 119, 4.5.2016, p. 1-88, available at

[13] Article 2(2)(Terms relating to the processing of personal data) of the Data Protection Bill (HL Bill 66), available at

[14] Supra note 11, Article 4 (Definitions).

[15] Supra, note 12, Article 4(1) (Definitions)

[16] Supra, note 12, Article 8(a) (Child’s consent in relation to information society services).

[17] Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (“Directive on electronic commerce”), Recital 17.

[18] Supra, note 11, Article 8(1) (Conditions applicable to child’s consent in relation to information society services).

[19] Supra, note 12, Article 8(b) (Child’s consent in relation to information society services).

[20] Supra, note 11, Article 7 (Conditions for consent).

[21] Supra note 4, pp. 8.

[22] Supra, note 11, Article 12 (Transparent information, communication and modalities for the exercise of the rights of the data subject).

[23] Supra, note 12, Part 2, Article 11(Limits of fees that may be charged by controllers).

[24] Ibid.

[25] Supra note 4, pp. 8-9.

[26] Supra, note 11, Article 20 (Right to data portability).

[27] Supra, note 12, Article 71 (General principles for transfers of personal data). 

[28] Supra note 4, p. 9.

[29] Supra, note 12, Article 45 (Right to erasure or restriction of processing).

[30] Supra, note 11, Article 17 (Right to be forgotten).

[31] Supra note 4, p. 9.

[32] Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González, Case C-131/12, May 13, 2014, available at

[33] “Google implements ECJ ruling on right to be forgotten”, Nicolas Hirst, Politico, May 30, 2014, available at

[34] Supra, note 12, Articles 94-96 (Rights of the Data Subject).

[35] Supra note 4, p. 9.

[36] Supra, note 11, Article 14 (Information to be provided where personal data have not been obtained from the data subject).

[37] Supra, note 11, Article 33 (Notification of personal data breach to the supervisory authority).

[38] Supra, note 12, Article 65 (Notification of a personal data breach to the Commissioner).

[39] Supra note 4, pp. 9-10.

[40] Supra, note 11, Article 8 (General conditions for imposing administrative fines).

[41] Supra, note 12, Article 33 (Notification of personal data breach to the supervisory authority).

[42] Supra, note 12, Article 178 (Maximum amount of penalty).

[43] Supra, note 12, Articles 161-163 (Recordable offenses).

[44] Supra note 4, p. 10.

[45] Supra note 4, p. 11.

[46] Article 45, Regulation 2016/679 EU on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC, OJ L 119, 4.5.2016, p. 1-88, available at

[47] “Brexit: the EU data protection package” House of Lords, European Union Committee, 3rd Report of Session 2017-19, July 18, 2017, p. 28, available at

[48] Supra, note 21 p. 26.

[49] For further information regarding the EU-U.S. Privacy Shield, you may wish to refer to Thomas Donegan, et al., European Commission Adopts the EU-U.S. Privacy Shield (July 13, 2016).

[50] Decision (EU) 2016/1920 on the signing of the Agreement between the US and the EU on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences, available at

[51] Supra note 21, p. 34.

Authors and Contributors

Thomas Donegan


Financial Institutions Advisory & Financial Regulatory

+44 20 7655 5566

+44 20 7655 5566


Barnabas Reynolds


Financial Institutions Advisory & Financial Regulatory

+44 20 7655 5528

+44 20 7655 5528