The new European Data Protection Regulation is already in force and takes effect in May 2018. It was intended that a new ePrivacy Regulation would take effect at the same time and would ensure respect for private life, confidentiality of communications and the protection of personal data in the electronic communications sector. Though it also aims to guarantee the free movement of electronic communications data, equipment and services in the EU. However, discussions are still ongoing, so it is not clear if agreement will be reached by next year.
The key aspect of the revised data protection legislation is a requirement for “explicit consent” and this is seen as something that businesses will need to address before the legislation takes effect. AMDEA attended a meeting where a representative of the UK’s Information Commissioner’s Office expressed the view that existing “soft opt-ins” might be able to be carried over, but that where individuals had asked for data to be deleted this would apply to historic e-mails, though not to data that was required to be kept for legal reasons. There is also a view that when asking for data a specific time period for retaining that data should be stated, or at least a timescale for its retention to be reviewed.
Unfortunately, publication of the European Commission’s guidance is now not expected until the end of the year so the UK guidance will not be published until it has been evaluated to align with any changes at EU level.